This topic is for anyone like me who is new to CORS and frequently mystified by browser complaints of failed “pre-flight checks” and so on. Such errors are the result of the Content Security Policy enacted by SAFE Launcher to improve security of users accessing web content on SAFE Network.
This is a place to gather together some info and how to’s that is editable by anyone (i.e. it’s a wiki post).
I’ll kick it off below with my meagre understanding at this point. If you have further advice either edit it into this post or in a reply with a suggestion that I add it. Now I’m off to try and get my RS.js test apps to jump the hurdle of SAFE Launcher Content Security Policy!
Info & Tips
- Content Security Policy is controlled by SAFE Launcher. To see the details of these restrictions, search for “Content-Security-Policy” and “Access-Control” etc in safe_launcher/app/server/web_proxy.js.
- Turn On The Browser Console: obvious once you know, but if your website isn’t behaving turn on your browser’s debugging features and particularly the output sent to the browser console. This can be done with Ctrl-Shift-K in Firefox and Ctrl-Shift-J in Chrome.
How To Comply
Please help fix and add to what follows to act as a quick start guide for anyone trying to leap this hurdle.
Here is what I currently understand (not much ):
- Don’t Inline Things: scripts and CSS must all be in separate files and linked from your HTML, and not be included inline inside your HTML file.
- CORS Everywhere: need a quick fix so you can test without hitting these errors? There’s a browser setting you can hack to turn off CORS pre-flight checks, and in Firefox there’s the “CORS Everywhere” plugin to give you a toolbar button to toggle this setting.
- Beware: confusion and head bashing can occur when SAFE Launcher returns a 403 (Forbidden) or perhaps it was 404 (Not Found). The browser can report this as a CORS error, which technically it might be, but it can throw you off the scent if you actually expect and need to handle the error.
-
SAFE API Endpoints: In a deployed website you access the API using the endpoints given in the API documentation. For example, authorisation uses endpoint
http://api.safenet/auth
but see Development next…
Development
Option 1: Using a Local Web Server
The official endpoints (e.g. http://api.safenet/auth
) work once the website is live on the network, but not while you are working on it locally . This is because the CSP headers inserted by the SAFE Launcher web-proxy prevent access to other domains.
As the launcher web proxy does not allow ‘localhost’ in the headers it inserts, you will need to turn CORS if in your browser. This can be done in Firefox by changing a browser setting, or toggled on and off more easily if you install the “CORS Everywhere” Firefox plugin. I don’t know about Chrome.
For local development run a local web server at the root of the app/website you are working on that serves up say http://localhost:8100
(which seems to be a standard default).
I use “ws” on linux and run it with the command ws -d ~/path/to/mysafewebsite
. If you are using npm, then npm start
does exactly this too. In your code you must then use that as your SAFE API endpoint, as in http://localhost:8100/auth
etc. but… before you upload and publish on SAFEnetwork, change the endpoints to http://api.safenet
as in http://api.safenet/auth
and so on.
Option 2: Using a Local SAFE Launcher
If you clone https://github.com/maidsafe/safe_launcher/ and follow the build instructions you can have a local SAFE Launcher running. It is then possible to disable the insertion of CSP headers by the proxy as follows (but note, this doesn’t work with the binary, only when run using npm
):
npm run start-dev
This invokes node ./tasks/start --proxy_unsafe_mode
and if you look in safe_launcher/server/web_proxy.js you can see the “unsafeMode” flag disables lots of stuff. This won’t work with the safe_launcher binary though as I mentioned (not for me anyway!).
Here is what I know is being changed:
- Data URI’s: loading from data URI’s is currently disabled (its the default) but being changed to allow certain safe types to be loaded such as images. Few people should hit this and it should be fixed soon, in API v.06 (see safe_launcher issue 245).
Cheeky call for tips, edits, links etc from @drunkcod @joshuef @frabrunelle @Krishna (and get over here @lightyear, @seneca and @eblanshey)!