[BUG] CORS Exclusion rules or some fix?
uhlhosting opened this issue · 6 comments
I just enabled CORS in Kutt deployment for security testing. What ever is super funny that the plugin works fine from Firefox:
Not working from Chrome / Opera.
_generated_background_page.html:1 Access to XMLHttpRequest at 'https://uhl.site/api/url/submit' from origin 'chrome-extension://hjfddajaffgcaickfkfdapafihjbcacl' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://uhl.site' that is not equal to the supplied origin.
uhl.site/api/url/submit:1 Failed to load resource: net::ERR_FAILED
@uhlhosting Please supply http or https to the devMode url. The extension requests permission to all http and https urls.
I did supplied https: .
The idea is this, what location exclusion should I have to add into CORS, to have the Chrome and Opera working, while like I said Firefox works fine. I am not sure what firefox does, yet it simply works.
The idea is this, what location exclusion should I have to add into CORS, to have the Chrome and Opera working, while like I said Firefox works fine. I am not sure what firefox does, yet it simply works.
This issue is only in development mode of Kutt right?
and the error shows that you have only enabled CORS via the core domain. In order to make the extension bypass CORS, you have to enable CORS from every source. Make changes to Kutt itself.
The 'Access-Control-Allow-Origin' header has a value 'https://uhl.site'
This is not the issue with the extension
I am just wondering what is the incoming source for chrome so that it could be excluded.
I am just wondering what is the incoming source for chrome so that it could be excluded.
From what I guess, CORS must be allowed to all the source endpoints in order to make this work.
Also did you test the API using some api-client like PostMan or Insomnia in the development mode?