CORS Issue when trying to use API

[rbjtech 4249]

HI All,

So I'm now getting CORS errors when trying to use the API via Swagger. 

A little investigation has indicated that a recent (to me) browser update (both Edge/Chrome - both Chromium based browsers) have tightened security to allow only HTTPS sites to do Cross Object.

As swagger (over http) calls the local emby website (over http) - this now longer works - and results in the following error :-

 

I have also tried using localhost and IP address - same error.  Tried different machines, different emby hosts - no difference.

From the Dev tools in the browser - this is being rejected 

1. 1. 1.  

         Security
         2
         Ensure private network requests are made from secure contexts
          
         Error
         A site requested a resource from a network that it could only access because of its users' privileged network position. These requests expose devices and servers to the internet, increasing the risk of a cross-site request forgery (CSRF) attack, and/or information leakage.
         
         To mitigate these risks, Chrome deprecates requests to non-public subresources when initiated from non-secure contexts, and will start blocking them in Chrome 92 (July 2021).
         
         To fix this issue, migrate the website that needs to access local resources to HTTPS. If the target resource is not served on localhost, it must also be served on HTTPS to avoid mixed-content issues.
         
         Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites.

          

         Using Firefox - the issue does not exist, and I can use the API swagger page fine - suggesting they have not (yet) implemented this security fix.

         "Administrators can make use of the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies to temporarily disable this restriction on all or certain websites."

         Is the above 'workaround' something which Emby/Swagger needs to do to allow continued use of the API via swagger?

         Thanks.

          

          

          

          

 

[Luke 37046]

InsecurePrivateNetworkRequestsAllowed is a browser policy that you'd have to set to allow it.

The best answer is to use https and that means setting up https on your server as well. You might be able to use localhost if you use the https version of our swagger docs.

[rbjtech 4249]

ah ha - yes that works if I use localhost and the https version of swagger.

Bit of a pain though - as I don't admin via the server itself - ie it is not localhost ..

https://swagger.emby.media/?url=http://localhost:8096/emby/openapi&api_key=xxxx

Perhaps the API (swagger) link in the Emby GUI should now default to https ?

I'll look into the Browser policy - thanks, I though that was a server side setting.

[Luke 37046]

Right, the browsers want everyone switching over to https at this point.

[Happy2Play 8271]

@Lukecan you update the API url link to https for Swagger so we don't have to make any changes for localhost.

I am currently just updating the dashboard.js.

[Luke 37046]

Yes that makes sense. Thanks.

[Happy2Play 8271]

On 11/21/2021 at 7:08 AM, Luke said:

Yes that makes sense. Thanks.

Will this make it into 4.7?