search

natelindev / tsdav

WebDAV, CALDAV, and CARDDAV client for Nodejs and the Browser
https://tsdav.vercel.app
MIT License
227 stars 37 forks source link

caldav icloud and CORS? #133

Closed rev111 closed 1 year ago

rev111 commented 1 year ago

Hello,

I tried to get my calendar events from browser js. For that purpose, I created an app-specific password. I import tsdav in the browser like this:

<script src="./tsdav.js" type="module" ></script>
<script type="module">
        import { Tests } from './tests.js';
        Tests.testTSDAV();
</script>

Relevant part of test.js:

static async testTSDAV() {

        const client = new DAVClient({
            serverUrl: 'https://caldav.icloud.com',
            credentials: {
                username: '$ICLOUD ACCOUNT LOGIN',
                password: '$APP_SPECIFIC PASSWORD',
            },
            authMethod: 'Basic',
            defaultAccountType: 'caldav',
        });
        await client.login(); // CORS error here
}
}

On Chrome I get the error message:

Access to XMLHttpRequest at 'https://caldav.icloud.com/.well-known/caldav' from origin 'http://127.0.0.1:5500' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
tsdav.js:581          PROPFIND https://caldav.icloud.com/.well-known/caldav net::ERR_FAILED

I think I understand what is happening: The icloud server has no "Access-Control-Allow-Origin:*" in its response. I'm just wondering that I haven't seen anyone else asking about this - am I the first who tried to access iCloud? Or hopefully, there is something I missed - because the tsdav readme says it works in a browser...?

Note that I was able to successfully connect to iCloud with curl, so it's not the authentication that fails...

Thanks in advance!

natelindev commented 1 year ago

This library is not really intended to be used in browser with google/icloud etc. since they will not allow CORS requests for obvious security reasons.

In the case where you have your own caldav server which is hosted in the same domain of your web app, you can use it without problem. Or you can even configure your caldav server to return Access-Control-Allow-Origin:* header , although it's not recommended because it means now anyone from anywhere can send requests to your caldav server.

strukturart commented 1 year ago

I successfully use TSDAV with my KaiOS app, now I would like to have the Google Oauth process verified. Google needs a video of the app as the Caldav API uses. To do this, I have to carry out the app in the desktop browser, but I always get a CORS message when calling the Google calendar, is there a way to use TSDAV in the browser?

martinschilliger commented 1 year ago

Couldn't you use Charles Proxy or some other proxy to edit the server repsonses?