Ultralight icon indicating copy to clipboard operation
Ultralight copied to clipboard

Published 20 hours ago verified publisher icon ultralight-ux

how to disable cors?

Open smersh1307n2 opened this issue 3 years ago • 3 comments

Access to fetch at 'file:///D:/Visual%20Studio%20Projects/Hydra/Hydra/bin/Debug/net6.0/wwwroot/_framework/blazor.boot.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome-extension, edge, chrome-untrusted, https, isolated-app.

To solve this problem in nwjs, you can use chromium-args --disable-web-security.

smersh1307n2 avatar Sep 24 '22 07:09 smersh1307n2

i'm having cors issues as well, one way around this would be how uigt did it (they used a custom protocol, coui://)

barnabwhy avatar Nov 10 '22 22:11 barnabwhy

Seems you can easily achieve this with a few binary patches like this:

auto WebCore_handle = GetModuleHandleA("WebCore");
if (WebCore_handle)
{
	// skip protocol origin checks, especially allow directly loaded HTML to load file:/// sources
	// WebCore::SecurityOrigin::canDisplay(WTF::URL const &)
	MemoryAddress canDisplay = GetProcAddress(WebCore_handle, "?canDisplay@SecurityOrigin@WebCore@@QEBA_NAEBVURL@WTF@@@Z");
	canDisplay.Patch({ 0xB0, 0x01, 0xC3 }); // mov al,1 ; retn (return 1)
	// WebCore::CrossOriginPreflightResultCache::canSkipPreflight(WTF::String const &,WTF::URL const &,WebCore::StoredCredentialsPolicy,WTF::String const &,WebCore::HTTPHeaderMap const &)
	MemoryAddress canSkipPreflight = GetProcAddress(WebCore_handle, "?canSkipPreflight@CrossOriginPreflightResultCache@WebCore@@QEAA_NAEBVString@WTF@@AEBVURL@4@W4StoredCredentialsPolicy@2@0AEBVHTTPHeaderMap@2@@Z");
	canSkipPreflight.Patch({ 0xB0, 0x01, 0xC3 }); // mov al,1 ; retn (return 1)
	// WebCore::isSimpleCrossOriginAccessRequest(WTF::String const &,WebCore::HTTPHeaderMap const &)
	MemoryAddress isSimpleCrossOriginAccessRequest = GetProcAddress(WebCore_handle, "?isSimpleCrossOriginAccessRequest@WebCore@@YA_NAEBVString@WTF@@AEBVHTTPHeaderMap@1@@Z");
	isSimpleCrossOriginAccessRequest.Patch({ 0xB0, 0x01, 0xC3 }); // mov al,1 ; retn (return 1)
	// WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginHeaders(WebCore::HTTPHeaderMap const &,WebCore::StoredCredentialsPolicy,WTF::String &)
	MemoryAddress allowsCrossOriginHeaders = GetProcAddress(WebCore_handle, "?allowsCrossOriginHeaders@CrossOriginPreflightResultCacheItem@WebCore@@QEBA_NAEBVHTTPHeaderMap@2@W4StoredCredentialsPolicy@2@AEAVString@WTF@@@Z");
	allowsCrossOriginHeaders.Patch({ 0xB0, 0x01, 0xC3 }); // mov al,1 ; retn (return 1)
	// WebCore::CrossOriginPreflightResultCacheItem::allowsCrossOriginMethod(WTF::String const &,WebCore::StoredCredentialsPolicy,WTF::String &)
	MemoryAddress allowsCrossOriginMethod = GetProcAddress(WebCore_handle, "?allowsCrossOriginMethod@CrossOriginPreflightResultCacheItem@WebCore@@QEBA_NAEBVString@WTF@@W4StoredCredentialsPolicy@2@AEAV34@@Z");
	allowsCrossOriginMethod.Patch({ 0xB0, 0x01, 0xC3 }); // mov al,1 ; retn (return 1)
	// WebCore::passesAccessControlCheck(WebCore::ResourceResponse const &,WebCore::StoredCredentialsPolicy,WebCore::SecurityOrigin &,WTF::String &)
	MemoryAddress passesAccessControlCheck = GetProcAddress(WebCore_handle, "?passesAccessControlCheck@WebCore@@YA_NAEBVResourceResponse@1@W4StoredCredentialsPolicy@1@AEAVSecurityOrigin@1@AEAVString@WTF@@@Z");
	passesAccessControlCheck.Patch({ 0xB0, 0x01, 0xC3 }); // mov al,1 ; retn (return 1)
}

However it seems with this approach I am still having trouble passing the Authorization header on CORS requests, hmm. But well, at least it loads file:///, and for this only the first of the patches is required...

p0358 avatar Nov 16 '22 22:11 p0358

You can't and shouldn't. (That's a terrible choice in nwjs, and you should immediately stop using it forever.)

You should not be using fetch, which is a network solution, to attempt to pick up local things.

The normal way to do this is for the host to provide direct filesystem access. NWJS and Electron are both wrappings of node, so in those, you would use the fs module.

I don't know if Ultralight has added these things. There is an FFI in Chrome, but it's not easy to use.

As a developer, you do have two much simpler alternatives.

  1. Bundle the JSON into your code
  2. It's javascript. Change the extension.

Neither of those will work if your code is dynamic, but that's blazor's boot config, which isn't.

In the meantime, though, why are you trying to use Blazor? That won't work here.

Blazor is a library that hosts a web browser and opens its FFI up to C# software. This browser is already hosted by Ultralight. Blazor can't open up interoperability to other peoples' browsers.

Ultralight has C bindings. You can just use those in C# directly. Someone even already wrapped it for you. You don't need blazor.

https://github.com/ImpromptuNinjas/UltralightSharp

StoneCypher avatar Dec 19 '23 20:12 StoneCypher