CORS problem on local and main

miadey · November 7, 2023, 10:00pm

Hi,

Any reason why I can’t http_request between two canister, an asset canister and a server.mo canister on my localhost. I have tweaked the ic-asset.json5 without success. Strangely, I am able to call external cdn from the server canister when I add them to the ic-asset file.

Also, I had a look at the html source of the mycanister page (Internet Computer Loading) and it seems that the CSP open many address. This tag doesn’t appear for my canisters on both local and on ICP


<meta http-equiv="Content-Security-Policy" content="default-src 'none';
        connect-src 'self' https://identity.internetcomputer.org/ https://identity.ic0.app https://nns.ic0.app https://api.geoiplookup.net https://api.iplocation.net 'self' https://icp-api.io https://3r4gx-wqaaa-aaaaq-aaaia-cai.icp0.io https://2hx64-daaaa-aaaaq-aaana-cai.raw.icp0.io https://7hi6i-7iaaa-aaaaq-aaaqq-cai.raw.icp0.io https://7sppf-6aaaa-aaaaq-aaata-cai.raw.icp0.io https://zcdfx-6iaaa-aaaaq-aaagq-cai.raw.icp0.io https://3r4gx-wqaaa-aaaaq-aaaia-cai.icp0.io;
        img-src 'self' data: https://nns.internetcomputer.org/ https://nns.ic0.app/ https://nns.raw.ic0.app/ https://3r4gx-wqaaa-aaaaq-aaaia-cai.icp0.io;
        child-src 'self';
        manifest-src 'self';
        script-src 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'sha256-z3re+V1Zk4tynXGrjrFoz8XdETFOQRY3SuiOP5WFHgQ=' 'sha256-5jvyMAjtYX4LBiTZYnv4rE0QmgsPCJ94RCKdzPXG1Mc=' 'sha256-gy87KdMwRAxWQJW/QU14NXUU8Hn/tBIzxZZ651zgco8=' 'sha256-E5BEJXRTSWCBLIMVYMfTu95YuG+DxN20F7HOfAGOKRU=';
        base-uri 'self';
        form-action 'none';
        style-src 'self' 'unsafe-inline';
        font-src 'self';
        upgrade-insecure-requests;">

peterparker · November 8, 2023, 5:33am

Do I get it right, you cannot call a canister from your frontend app served in the browser right?

If correct, got few question:

It’s happening locally or on mainnet?
If locally, how do you serve your app (npm run … or dfx start)?
Your backend runs on the same domain / network?
The call that leads to the error is using agent-js?

Assuming it’s happening in a browser, can you maybe a screenshot of your browsers tab displaying the error?

miadey · November 8, 2023, 1:45pm

Hi,

This is on my localhost and I’m using dfx start --clean
I don’t use agents, no JS on the frontend.

I have a frontend canister with an index.html file

This file use HTMX to make a Ajax call to the backend canister like this :

<div hx-get="http://be2us-64aaa-aaaaa-qaabq-cai.localhost:4943/" hx-trigger="load" hx-target="#outerBody" hx-swap="innerHTML">          
</div>

On my backend, I use the server.mo package to receive the call and return Html to the frontend :

server.get("/", func(req : Request, res : ResponseClass) : async Response {
		var contacts = await Contact.listContact(1);
		var templateContent = ContactView.templateContact(contacts);
		res.send({
		    status_code = 200;
		    headers = [("Content-Type", "text/html")];
		    body = Text.encodeUtf8(templateContent);
		    streaming_strategy = null;
		    cache_strategy = #noCache;
		 });

Here is the network tab

I have tried on the mainnet and have the same problem, the message is a CSP error
https://su64i-vaaaa-aaaan-qek5q-cai.raw.icp0.io/

Currently, I’m running the frontend (serve the frontend code) on the backend, but I cannot access the assets correctly.
http://be2us-64aaa-aaaaa-qaabq-cai.raw.localhost:4943/ (Take more then 10 secondes to load)

peterparker · November 8, 2023, 9:25pm

This error on mainnet raw makes sense to me. The CSP does not accept the target domain in the connect-src rule. Add the targeted canister id to the rule and it should do.

peterparker · November 8, 2023, 9:28pm

In you browser, which URL are you using to load your frontend locally?

It for example it’s on another port than the canister you try to call - http://be2us-64aaa-aaaaa-qaabq-cai.localhost:4943 - it might be the issue.

In addition, don’t know how the certificed asset canister of dfx works but, I can imagine that even locally a Content Security Header is defined so might good be that even locally the targeted canister is not white listed.

When you have the CORS error in your browser, did you check what’s the actually rule and if it matches the canister you are targeting?

miadey · November 8, 2023, 10:04pm

Ok! Thank you very much I’m getting in this right now. I’ll have to get a better knowledge on CSP.

Also, I imagine you noticed how long it took for the page to load…
The first part of the page load in about 2-3 seconds, I’m ok with this. But the call to my contact actor canister to get the contact list take very long. I thought that a query func would take not more than 4 secondes, am I right on this ? This is the link for my actual frontend (its the backend who response) until : https://rnftg-fiaaa-aaaam-abxja-cai.raw.icp0.io/

peterparker · November 9, 2023, 5:57am

A query function should be super fast, rather few milliseconds than seconds.

miadey · November 9, 2023, 8:24pm

Hi, just put back what I had a a couple of weeks ago at : https://su64i-vaaaa-aaaan-qek5q-cai.icp0.io/
Still stuck with this error

Access to fetch at ‘https://a4gq6-oaaaa-aaaab-qaa4q-cai.raw.icp0.io/contact/list?id=rnftg-fiaaa-aaaam-abxja-cai’ from origin ‘https://su64i-vaaaa-aaaan-qek5q-cai.icp0.io’ has been blocked by CORS policy: Request header field hx-target is not allowed by Access-Control-Allow-Headers in preflight response.

I have added the backend address to the “Content-Security-Policy” tag. I have tried different approach without success. Is there a tag in the ic-assets.json to allow a new type of request ?
Thank you

peterparker · November 9, 2023, 9:20pm

If you curl or use other method to fetch https://a4gq6-oaaaa-aaaab-qaa4q-cai.raw.icp0.io/contact/list?id=rnftg-fiaaa-aaaam-abxja-cai everything is fine and correct? Just to rule out other issues.

If no other issues, if you fully remove the CSP, does it works out?

miadey · November 9, 2023, 9:37pm

Nope! Using this https://a4gq6-oaaaa-aaaab-qaa4q-cai.raw.icp0.io/index?id=rnftg-fiaaa-aaaam-abxja-cai with a GET in Postman return a 404. Surprisingly, https://rnftg-fiaaa-aaaam-abxja-cai.raw.icp0.io/index works! This is what I was using to make things work! Is this legal

peterparker · November 9, 2023, 9:41pm

I’m not sure what your canister does so, I cannot really tell if surprising or not unfortunatelly. I would maybe try to solve the 404 before trying the solve the CSP issue, kind of feel that both are related. Locally everything works fine?

miadey · November 9, 2023, 9:51pm

Yes, both are on localhost. . Using this method (https://rnftg-fiaaa-aaaam-abxja-cai.raw.icp0.io/) works fine. I was trying to resolve the 10-15 seconds delay between the canisters call, thought it would be related. Thank you for your help, I’ll try to resolve the 404 and report back if I find something.

Topic		Replies	Views
Unclear use of ic-assets.json JavaScript	6	957	August 29, 2022
How can I get a json file hosted on the IC with JS in the browser? [Anonymous Dev Question] Developers	4	570	January 23, 2023
Can we somehow achieve or build a canister with a interface bahaving like a classic web server Developers	53	14264	May 25, 2021
Modifying NGINX Server Configuration of Canister Developers	2	447	September 28, 2021
Make external (non-IC) HTTP request from backend canister? Programs & Applications	5	4564	May 7, 2021

CORS problem on local and main

Related Topics