Enable CORS on Serve (WebDAV)

[alensiljak]

Pre-Submission checklist

• [x] There is no existing issue that already asks for this feature.
  
• [ ] The feature already exists in rclone (on your PC or in Termux)
• [x] I am prepared to help make this feature

What version of extRact are you using (About -> App version)?

2.1.3

What problem are you trying to solve?

Serving a remote folder (say via WebDAV) does not allow connections from a PWA (in-browser web app) running on the same machine due to CORS.

What should extRact be able to do differently to help with this problem?

Allow all connections. Use the following header:

(Access-Control-Allow-Origin: *)

Related Rclone issue

https://github.com/rclone/rclone/issues/5078

[alensiljak]

I just saw that a new pull request has been submitted recently. With that fix in rclone, it will still be necessary to specify the origin string somewhere in the settings.

[newhinton]

Okay, but from what i get is that for this to work in round-sync we have to wait for the upstream-issue to be merged/fixed.

Could you make this work with only rclone and its config on the desktop? If yes, can you post a minimal example on how?

[alensiljak]

for this to work in round-sync we have to wait for the upstream-issue to be merged/fixed

That is most-likely correct. The new setting should allow directly setting the response header (allow-origin) which would allow connecting from browsers. Something like --allow-origin * would need to be passed to the rclone serve command.

To test, a connection should be established from a browser JavaScript. This currently fails due to CORS but should work once the allow-origin * is set. I.e. when listing the root folder via WebDAV.

[alensiljak]

The change has just been merged and should probably appear with the next release.

[newhinton]

This is great news!

Though i do not really want to allow ALL connections, i will either make it work in a more limited fashion OR make it a switch in the settings with a warning attached.

To replicate your setup, what exactly is your process? I assume you start a server via round-sync, webdav with login?

Which pwa do you use to access that remote then?

[alensiljak]

I usually allow all connections because the server runs either on the phone or on the workstation with a firewall and I'm connecting from the same device in all cases. It would possibly also work with a correct setting but I'm not sure what that would be (localhost, 192.168.x.x., 10.x.x.x, 127.0.0.1?).

So far I have at least two separate use cases but the goal is the same. One app is https://cashier.alensiljak.eu.org/. It synchronizes through a dedicated server app and I would like to remove that part as it is potentially technologically redundant. Instead, I'd like to access the files directly but that is proving elusive despite all the tech advances. In any case, I want to use rclone to provide me with WebDAV access to my cloud storage provider. After configuring a remote, I'd run rclone serve webdav provider:/ or something similar. That would give me a local WebDAV server which serves my (text) files. Then Cashier would read and the appropriate files. It reads Ledger journal files, and also would back up and restore settings, export data created on the mobile device, etc. Edit: using serve http would automatically provide read-only access, instead, for example.

The second case is organice. It is an OrgMode client. I have not been using it but may try again when this is solved.

In effect, this would allow any PWA to access any (supported) provider out there and is really a critical functionality for providing storage access for PWA apps, as far as I see it. This is something the storage providers could have enabled themselves but that's probably not going to happen due to security concerns.

That said, please enable custom setting for allow-origin as that may change depending on circumstances. Some common-sense default is ok, as well as it being disabled by default.

Thanks!

[alensiljak]

i do not really want to allow ALL connections

This is an interesting aspect. Why not? Technically, this just discriminates the PWA as applications because any other app or script that runs outside a browser can access the server without any restrictions. I'm not sure what the actual concern here is. Especially if an authentication is added to the server command.

[newhinton]

This is an interesting aspect. Why not?

If i only give the user access to the same "serve" command i am doing now, allowing all origins might allow connections from unwanted clients. I have to confess, i have not yet looked into the actual security implications and real-world dangers, but allowing "all" sounds wrong on the first glance.

However, it is highly probable that i will either make it more configurable, or allow the user to specify the value semselfes, relieving me of the burden of managing risk.

Either way, this is not a "i wont do it", but a "i will do it, but i need to think about how to do it safely"-thing, i just have not completely thought this through ;)

[alensiljak]

If i only give the user access to the same "serve" command i am doing now, allowing all origins might allow connections from unwanted clients. I have to confess, i have not yet looked into the actual security implications and real-world dangers, but allowing "all" sounds wrong on the first glance.

This is actually only partially true. CORS affects only the requests coming from a web browser. There is absolutely nothing preventing someone writing a simple Python script (or anything else) that will connect to the same server.

Your concern is something that authentication and authorization are supposed to handle. CORS is mainly for preventing a malicious script on one page accessing your bank account details while you're also logged in there, or something along those lines.

In any case, this is mainly to report (after a long while) that my pull request has gone through and the issues with WebDAV server and CORS have been fixed in rclone 1.65. Now I can finally connect from a PWA to a local rclone WebDAV server and have access to the cloud storage. Yay!