search

nextcloud / spreed

🗨️ Nextcloud Talk – chat, video & audio calls for Nextcloud
https://nextcloud.com/talk
GNU Affero General Public License v3.0
1.61k stars 428 forks source link

CORS Missing Allow Origin #9616

Closed absurd-turtle closed 1 year ago

absurd-turtle commented 1 year ago

How to use GitHub

I want to integrate the Nextcloud Talk Chat with my webapp. When I send a request to following endpoint: 'myNextcloud.org/ocs/v2.php/apps/spreed/api/v4/room' the request gets declined with status: '405 Method Not Allowed'

To be able to fetch data from other endpoints I installed WebAppPassword

Is there some configuration to set the allowed origins for the spreed APIs?

Steps to reproduce

  1. send request to myNextcloud.org/ocs/v2.php/apps/spreed/api/v4/room

Expected behaviour

Appropriate response including the conversations of a user

Actual behaviour

request gets declined with status: '405 Method Not Allowed'

Talk app

Talk app version: 15.0.5

Custom Signaling server configured: no Custom TURN server configured: no Custom STUN server configured: no

Browser

Microphone available: no

Camera available: no

Operating system: Linux

Browser name: Firefox

Browser version: 113.0.1

Browser log

**Request Headers:** ``` OPTIONS /ocs/v2.php/apps/spreed/api/v4/room HTTP/1.1 Host: myNextcloud.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Access-Control-Request-Method: GET Access-Control-Request-Headers: authorization,ocs-apirequest Referer: http://localhost:5173/ Origin: http://localhost:5173 Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site ``` **Response Header:** ``` HTTP/1.1 405 Method Not Allowed Server: nginx/1.18.0 Date: Wed, 24 May 2023 19:28:27 GMT Content-Type: text/xml; charset=UTF-8 Content-Length: 0 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-NzV3UHNkSGh1QStwc2JqNzcyYTlXWUNEWjhZTkRFT3dUTjE3YkhDbjhGQT06aE5wdDQ3bUh5MGJFNU5TQ3FWSDdIN0hGSDY1VVh6dkRaNU11WFRuQTN3UT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self'; Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Referrer-Policy: no-referrer Set-Cookie: oc_sessionPassphrase=MvgUyBLG0mYl7b4pEkPgQgCogEwMsXHlyVbnyCOW2xVF6MeRYF5DYRj8ztYoBnzZ21tfM8JIkXVt9e0kWiRh1BE1FdPL1V2XtZIYb0qYRP0llxEhsjibMxjl80VWyA2%2B; path=/; secure; HttpOnly; SameSite=Lax Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict Set-Cookie: ock8mxznsvn1=fb24b7a404f27f80b2e4953ab48eae95; path=/; secure; HttpOnly; SameSite=Lax Strict-Transport-Security: max-age=31536000; X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Powered-By: PHP/8.0.28 X-Robots-Tag: noindex, nofollow X-Xss-Protection: 1; mode=block ```

Server configuration

Operating system: Debian

Nextcloud Version: Nextcloud Hub 3 (25.0.6)

nickvergessen commented 1 year ago

Is there some configuration to set the allowed origins for the spreed APIs?

No as this sounds rather risky and not like something we want to do. Maybe you can ask the maintainer of the linked and already insecure app to extend their work (although I would recommend not to do so)

absurd-turtle commented 1 year ago

Is there some configuration to set the allowed origins for the spreed APIs?

No as this sounds rather risky and not like something we want to do. Maybe you can ask the maintainer of the linked and already insecure app to extend their work (although I would recommend not to do so)

Why does it sound risky?