Cockpit: How to AJAX request my own server on localhost?

Created on 16 Jun 2017  路  6Comments  路  Source: cockpit-project/cockpit

Hello,

for one of my plugins I need to access local server which is running on port 30093 and responding in JSON format. Cockpit is running on port 30092. Simple AJAX with jQuery fails with message:

Refused to connect to 'https://0.0.0.0:30093/get_servers_json' because it violates the following Content Security Policy directive: "connect-src 'self' https://<public ip>:30092 ws: wss:".

(anonymous) @ VM7040:1
send @ jquery-3.2.1.min.js:4
ajax @ jquery-3.2.1.min.js:4
(anonymous) @ ezpz_live_server_list.html:20
dispatch @ jquery-3.2.1.min.js:3
q.handle @ jquery-3.2.1.min.js:3

AJAX:

$.ajax({
    url: "https://0.0.0.0:30093/get_servers_json",
    success: function(data) {
        console.log("success");
        console.log(data);
        }
    });

I tried to add localhost to connect-src in manifest.json of my plugin:
"content-security-policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src https://0.0.0.0"

But Cockpit ignores it with message:

:30092/cockpit/@localhost/ezpz_live_server_list/ezpz_live_server_list.html#/:1 Ignoring duplicate Content-Security-Policy directive 'connect-src'.

Thanks for help and thumbs up for this nice project :)

Most helpful comment

FWIW, you can disable tls verification by passing the following as options to cockpit.http.

{
 tls : {
  validate: false
 }
}

All 6 comments

Is there a reason not to use cockpit.http instead of $.ajax. Cockpit supports connecting to multiple servers through a single cockpit-ws connection. So the host running your your package might not even be accessible from the users browser. By using cockpit.http you can be sure that localhost always refers to the same machine that the package is loaded from and the data gets loaded even if the users browser is unable to access the target machine.

Oh sure, I didn't realize that AJAX call is actually performed on client's side. So I have tried cockpit.http, but server is disconnecting me:

http = cockpit.http(30093);
request = http.get("/get_servers_json");

request.done(function(data) {
    console.log(data);
});

request.fail(function(exception) {
    console.log(exception);
});

Output from console.log(exception);:

te {problem: "disconnected", message: "Server has closed the connection.", toString: function}

Server is running on port 30093 and responding. I verified it through SSH with
wget https://0.0.0.0:30093/get_servers_json --no-check-certificate

Anyways thanks for quick help!

I have disabled HTTPS on that server and now the cockpit.http works fine :)

FWIW, you can disable tls verification by passing the following as options to cockpit.http.

{
 tls : {
  validate: false
 }
}

@petervo But if I still want to use framework' http module (say Angular 2 HttpModule) and I do need to connect to different hosts which are not sure connected to current host (via dashboard page), what content-security-policy I should set?

Something like this in manifest.json:

content-security-policy: default-src 'self' https://my-target-host

However if you want to make this generic, most people would make the connections from the server, instead of the Cockpit module.

To do this, you could override XMLHttpRequest to use cockpit.http instead. @martinpitt Are you aware of any examples which do this?

Was this page helpful?
0 / 5 - 0 ratings