search

stonecoldpat / anonymousvoting

Anonymous voting on Ethereum without a tally authority. Protocol from this paper http://homepages.cs.ncl.ac.uk/feng.hao/files/OpenVote_IET.pdf
340 stars 88 forks source link

Chrome : MLHttpRequest cannot load http://XX.XX.XX.XX:8545/. Response to preflight request doesn't pass access control check #11

Closed descampsk closed 6 years ago

descampsk commented 7 years ago

Hello !

I found a issue with Chrome and others navigators when they try to connect to a ethereum node with rpc which is on a distant machine on the local newtork.

The error is :

XMLHttpRequest cannot load http://XXXXXXXXX.8545/. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://192.168.99.100' is therefore not allowed access.

I didn't manage to understand how put a header to avoid this issue.

However, to avoid this issue, I put the arguments --disable-web-security --user-data-dir to launch Chrome, but it doesnt seem to be the best solution.

This issue exist on firefox too.

Do you have an idea ?

Thank you !

stonecoldpat commented 7 years ago

Hey,

Let me understand the situation. The user is running the website on their machine (i.e. vote.html) and then trying to connect to an Ethereum node (i.e. Geth) on a distant machine? I'll ask around as I haven't tried this before, but is there any reason for this approach?

I'm not sure if Web3 can guarantee it is talking to a legit full Ethereum node (i.e. has a full copy of the blockchain). This is not normally a concern since a node is on the user's actual machine, but if it is in the distance then that implies a different trust model i.e. we are trusting remote machine to really be running an Ethereum node. If this is the trust model you have - why not just run have vote.html connect directly to the web server (some .php scripts) instead of the Ethereum node?

stonecoldpat commented 7 years ago

A friend told me the following:

You'll have to make sure your request passes the correct 'origin' property. Either anonymous or with-credentials.

Then your remote server needs to have the correct CORS policy. See your server docs to see how to set this. (Example with GET requests:) AllowedOrigin: AllowedMethod: GET AllowedHeader:

I hope the above is a good pointer on what to do next?

descampsk commented 7 years ago

Thanks for your answer !

I didn't got the time yet to try your solution but I will keep you informed of the results.

For more informations, i'm trying to build a Docker image which can automatically connect to a private Blockchain with rpc allowed, to simplify the connection to the Blockchain for the user.

  1. The user launch the Docker image on his local machine and is connected to the Blockchain.
  2. Then he runs the website on his local machine, and the javascript code connects to the node with rpc.

The issue is that the Docker Engine create a virtual machine on Windows and a network between the host and this machine. The Ethereum node is on this machine, and the website need to go through this network to be connected to the node.

To summerize, the user is running the website on their machine (i.e. vote.html) and then trying to connect to an Ethereum node (i.e. Geth) on the "virtual" distant machine. All machines are locals but Chrome "think" the Ethereum node is on a distant machine and refuse the connection.

I don't know if I'm really clear, my English is not so good, and it's a bit complicated to explain ^^.