jech / galene

The Galène videoconference server
https://galene.org
MIT License
965 stars 131 forks source link

CORS error when accessing .status on publicServer #226

Open martybetz opened 3 days ago

martybetz commented 3 days ago

In data/config.json, I set {publicServer:true}. I then ran: galene -insecure -turn 192.168.4.23:1194

So, Galene server and simple examples are now running fine on http://localhost:8443

But my intention is to use it from pages hosted on another local webserver. localhost:7701. I tried to get the simple example/example.html static page working from there. Naturally, in example.js, I needed to use "await start("http://localhost:8443/group/public/");" That's fine.

But then I still get a CORS error when my :7701 hosted js needs to fetch("http://localhost:8443/group/public/.status") I think there is a bug with CORS access of ".status". It seems webserver/webserver.go fails to set the header for Allow-Origin properly when the requested file is ".status":

By adding the following code into groupStatusHandler(),

conf, err := group.GetConfiguration()
if err != nil {
    httpError(w, err)
    return
}
if conf.PublicServer {
    w.Header().Set("Access-Control-Allow-Origin", "*")
}

everything works perfectly. Am I doing something wrong? Did I find a bug? -Marty

jech commented 2 days ago

I think you're doing everything right, and you've found a limitation in Galene's administrative interface.

Currently, the publicServer directive allows cross-site access to the videoconferencing protocols (both the native protocol and WHIP). However, it does nothing to the administrative interface.

Do we want to allow cross-site access to the administrative interface when publicServer is set, or should that be controlled by a different directive?

martybetz commented 1 day ago

Ah. That makes sense. Thanks

I'm not very familiar with WHIP use cases, but for client communication I think allowing a specific CORS origin domain would be valuable, as opposed rarely desired fully public access. And I could imagine a separate, parallel need for private or open WHIP access.

So, I'm envisioning the config file might allow for something like: ClientCorsAccess: "*" or "http://domain:7701" etc

Again, I'm not an expert, so I'm very open to other perspectives.

jech commented 1 day ago

https://lists.galene.org/galene/878qu0u1yx.wl-jch@irif.fr/T/