search

bastienwirtz / homer

A very simple static homepage for your server.
https://homer-demo.netlify.app/
Apache License 2.0
9.32k stars 787 forks source link

Ping working on Firefox without needing a CORS proxy or Access-Control-Allow-Origin: * #830

Open tryolly opened 5 hours ago

tryolly commented 5 hours ago

I'm very confused and know very little about the topic. I've just set up the Ping card for my instance of Homer on my local only home server. When using Microsoft Edge on my main computer to check the dashboard all my services have the Ping as offline which is what I expect since I am not using a proxy or have a set the Access-Control-Allow-Origin: * in the header for each of my services.

However, when I use Firefox on the same computer as Edge everything just works, they all show as online, I don't get it. When I check Firefox on another computer in the house it shows as offline, just like Edge does, which is what I would expect. Does anyone know why Firefox on my main computer seems to be ignoring the issue with CORS?

I thought that maybe it was one of my extensions, but I turned them off and no change. I also thought it might of been the strict tracking protection, nope again. I am slightly concerned that this is happening as it may be a security leak with my Firefox browser, or alternativily maybe I stumbled upon some way to solve the CORS issue without a proxy, Access-Control-Allow-Origin: *, or requiring same domain/port.

Perhaps I have edited some security option in about:config, but I can see nothing. Does anyone here have any idea about what is going on?

tryolly commented 4 hours ago

When I try a fetch command in the webtools to one of the services on my server I get the following

fetch('http://192.168.20.2:7878')
Promise { <state>: "pending" }
​
<state>: "fulfilled"
​
<value>: Response { type: "cors", url: "http://192.168.20.2:7878/", redirected: false, … }
​​
body: ReadableStream { locked: false }
​​​
locked: false
​​​
<prototype>: ReadableStreamPrototype { cancel: cancel(), getReader: getReader(), pipeThrough: pipeThrough(), … }
​​
bodyUsed: false
​​
headers: Headers(4) { "cache-control" → "no-cache, no-store", "content-type" → "text/html", expires → "-1", … }
​​​
<entries>
​​​
<prototype>: HeadersPrototype { append: append(), delete: delete(), get: get(), … }
​​
ok: true
​​
redirected: false
​​
status: 200
​​
statusText: "OK"
​​
type: "cors"
​​
url: "http://192.168.20.2:7878/"

with Firefox on the other computer in my house it shows the state as rejected

tryolly commented 3 hours ago

So I worked out what was happening. Firefox has an option in its Settings > Privacy & Security > HTTPS-Only Mode. The setting is either

I have mine set to Enable HTTPS-Only Mode in all windows. With this setting enabled the Ping works. Switch to Don’t enable HTTPS-Only Mode and now the Ping doesn't work and all services show as offline.

So the question is why is this happening? I am not using HTTPS on my network.