CORS headers are not set when a HLS playlist is not yet available

[SceneCityDev]

The CORS options in the configuration are meant to be applied to the vhost.

But they are not, they are only applied if a HLS playlist can be retrieved. While an HLS playlist is still pulled from the Origin, this causes 404 and later 201 ("Created") errors. That is fine.

However, for those 404 and 201s, the CORS headers are not set. This causes a browser security exception, which is also logged to the console. It also means that hls.js can not even see this error and respond to it ... the javascript exception will bubble up unhandled. If hls.js would receive the actual 404, it could handle it correctly.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Here are the headers sent for 404:

wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:44:01--  https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 404 Not Found
  Content-Length: 0
  Keep-Alive: timeout=5, max=100
  Server: OvenMediaEngine
  Connection: Keep-Alive
  Content-Type: text/html
2024-04-05 17:44:06 ERROR 404: Not Found.

And here for the 201:

wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:45:39--  https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 201 Created
  Content-Length: 0
  Keep-Alive: timeout=5, max=100
  Server: OvenMediaEngine
  Connection: Keep-Alive
  Content-Type: text/html
Length: 0 [text/html]
Saving to: 'avc-auto_llhls.m3u8'

And finally, here are the headers for the HLS playlist being available:

wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:45:48--  https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Cache-Control: no-cache, no-store
  Access-Control-Allow-Methods: GET
  Content-Length: 850
  Access-Control-Allow-Credentials: true
  Content-Encoding: identity
  Access-Control-Allow-Headers: *
  Content-Type: application/vnd.apple.mpegurl
  Connection: Keep-Alive
  Server: OvenMediaEngine
  Keep-Alive: timeout=5, max=100
  Access-Control-Allow-Origin: *
  Vary: Origin
Length: 850 [application/vnd.apple.mpegurl]
Saving to: 'avc-auto_llhls.m3u8.1'

As you can see, Access-Control-Allow-Headers and Access-Control-Allow-Origin headers are missing.

The suggested fix is to set those headers not in the HLS worker code, but directly inside the HTTP server code based on the vhost configuration, and no matter if an error is returned or a success.

[getroot]

There is default Cors setting for this.

https://github.com/AirenSoft/OvenMediaEngine/blob/master/misc/conf_examples/Server.xml#L300C4-L303C19

If this doesn't work for 404 errors etc, it's a bug. I will fix this. Thanks for the report.

[Morpheus235]

@getroot I am running into this Issue as well. Setting Default CrossDomains does not seem to work and the Header is never filled (at least for Status 201, 404, and 401).

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.