rbjtech 4249 Posted September 30, 2021 Share Posted September 30, 2021 HI All, So I'm now getting CORS errors when trying to use the API via Swagger. A little investigation has indicated that a recent (to me) browser update (both Edge/Chrome - both Chromium based browsers) have tightened security to allow only HTTPS sites to do Cross Object. As swagger (over http) calls the local emby website (over http) - this now longer works - and results in the following error :- I have also tried using localhost and IP address - same error. Tried different machines, different emby hosts - no difference. From the Dev tools in the browser - this is being rejected Security 2 Ensure private network requests are made from secure contexts Error A site requested a resource from a network that it could only access because of its users' privileged network position. These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage. To mitigate these risks, Chrome deprecates requests to non-public subresources when initiated from non-secure contexts, and will start blocking them in Chrome 92 (July 2021). To fix this issue, migrate the website that needs to access local resources to HTTPS. If the target resource is not served on localhost, it must also be served on HTTPS to avoid mixed-content issues. Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites. Using Firefox - the issue does not exist, and I can use the API swagger page fine - suggesting they have not (yet) implemented this security fix. "Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites." Is the above 'workaround' something which Emby/Swagger needs to do to allow continued use of the API via swagger? Thanks. Link to comment Share on other sites More sharing options...
Luke 37046 Posted September 30, 2021 Share Posted September 30, 2021 InsecurePrivateNetworkRequestsAllowed is a browser policy that you'd have to set to allow it. The best answer is to use https and that means setting up https on your server as well. You might be able to use localhost if you use the https version of our swagger docs. 1 Link to comment Share on other sites More sharing options...
rbjtech 4249 Posted September 30, 2021 Author Share Posted September 30, 2021 ah ha - yes that works if I use localhost and the https version of swagger. Bit of a pain though - as I don't admin via the server itself - ie it is not localhost .. https://swagger.emby.media/?url=http://localhost:8096/emby/openapi&api_key=xxxx Perhaps the API (swagger) link in the Emby GUI should now default to https ? I'll look into the Browser policy - thanks, I though that was a server side setting. Link to comment Share on other sites More sharing options...
Luke 37046 Posted September 30, 2021 Share Posted September 30, 2021 Right, the browsers want everyone switching over to https at this point. 1 Link to comment Share on other sites More sharing options...
Happy2Play 8271 Posted November 21, 2021 Share Posted November 21, 2021 @Lukecan you update the API url link to https for Swagger so we don't have to make any changes for localhost. I am currently just updating the dashboard.js. 1 1 Link to comment Share on other sites More sharing options...
Luke 37046 Posted November 21, 2021 Share Posted November 21, 2021 Yes that makes sense. Thanks. Link to comment Share on other sites More sharing options...
Happy2Play 8271 Posted March 25, 2022 Share Posted March 25, 2022 On 11/21/2021 at 7:08 AM, Luke said: Yes that makes sense. Thanks. Will this make it into 4.7? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now