search

coova / coova-chilli

CoovaChilli is an open-source software access controller for captive portal hotspots.
Other
514 stars 257 forks source link

JSON method is broken with cors-rfc1918 is enabled! #531

Open vdemtcev opened 2 years ago

vdemtcev commented 2 years ago

Hello!

Now cors-rfc1918 is enabled by default in Chrome and CORS to private IP is blocked!

On the client side problem look like this: PXL_20211001_154247551 v01

If i disabled this function - request is go without problem. Screenshot at 2021-10-01 16-14-25 v01

I see only 2 way to solve the problem: 1) add header 'Access-Control-Allow-Private-Network': true to response 2) use old sheme /login and /logout (without JSON/AJAX)

For more information read this: https://wicg.github.io/private-network-access

vdemtcev commented 2 years ago

This problem is partially solved in patch https://github.com/coova/coova-chilli/pull/415/commits/135b1a44dc4ea47f0d0b7d2539da57a885f3f549 But this request ignored.

We can add the same code for "Access-Control-Allow-Private-Network: true" header and problem is gone!

I can do it, but who merge my pull-request?

dirkvanderwalt commented 2 years ago

This problem is partially solved in patch 135b1a4 But this request ignored.

We can add the same code for "Access-Control-Allow-Private-Network: true" header and problem is gone!

I can do it, but who merge my pull-request?

I manually added that and even added Access-Control-Allow-Private-Network: true but it seems you HAVE TO serve the login page through HTTPS for Chrome to mark you as a 'trusted source' that can do Ajax calls to the local network.

Somehow on OpenWRT 21.02 the Coova's https JSON interface now seems not to work... busy investigating that also

vdemtcev commented 2 years ago

"... mark you as a 'trusted source' that can do Ajax calls to the local network." i'm already do this. but... "Block insecure private IP1 is private and IP2 is public" is true and request is blocked by Chrome

Now we use POST for /logon and check res=success on redirect to solve the problem. This is a legacy method, but it work for me. Just remove /json/ from path and look to redirect params. If you need more help - ask me.

This link can help you in your investigation: https://wicg.github.io/private-network-access/ - CORS-RFC1918 https://web.dev/cors-rfc1918-feedback/ - Feedback wanted: CORS for private networks (RFC1918) https://developer.chrome.com/blog/private-network-access-update/ - Private Network Access update: Introducing a deprecation trial

gilfrade commented 2 years ago

I am also experiencing this with OpenWRT 21.02 using coova-chilli 1.16.
Funny that my previous build still works with OpenWRT 19.07 and coova-chilli 1.14, same setup. What change?
@dirkvanderwalt did you find something?