Tasmota: Check CORS (response header(s) for AJAX requests ("Access-Control-Allow-Origin: *") -> not working

Have you looked at this project? It is quiet new and under heavy development from the author.
https://github.com/jziolkowski/tdm
The main goal of Tasmota is the use of mqtt. Http requests generates high CPU loads on the ESP device
and can generate WDT resets. So if you do to much queries you may get unreliable devices

It looks cool. And maybe if I have time I look into it. But is not the same!

It would be super lightweight to be able to query the state of a sonoff in javascript through a simple AJAX request. No server required. Can be a done in a simple HTML page on any webserver or file system.

All we need is just a simple header from the sonoff.

Hi,

Thanks for sharing your ideas.

Your request is cool but seems out of the scope of Tasmota, Sorry. Tasmota is mainly MQTT for integration to home automation systems. Besides it seems to be very difficult for any common user to use your new way of communicating to Tasmota.

Anyway, you can make a pull request as a _Proof of Concept_ for testing.

If you are interested on helping to the project, please check the documentation linked in the template that have showed up to you when you have opened the issue:

CONTRIBUTING GUIDELINES: https://github.com/arendst/Sonoff-Tasmota/blob/development/CONTRIBUTING.md
CODE OF CONDUCT: https://github.com/arendst/Sonoff-Tasmota/blob/development/CODE_OF_CONDUCT.md
SUPPORT CHANNELS: https://github.com/arendst/Sonoff-Tasmota/blob/development/SUPPORT.md

If you need help, you can find us in the Tasmota Support Chat and we will be glad on helping you.

Support Information

See Wiki for more information.
See Chat for more user experience.

It appears that the code for this is already there (in xdrv_01_webserver.ino):

void WSHeaderSend(void)
{
  WebServer->sendHeader(F("Cache-Control"), F("no-cache, no-store, must-revalidate"));
  WebServer->sendHeader(F("Pragma"), F("no-cache"));
  WebServer->sendHeader(F("Expires"), F("-1"));
#ifndef ARDUINO_ESP8266_RELEASE_2_3_0
  WebServer->sendHeader(F("Access-Control-Allow-Origin"), F("*"));
#endif
}

I assume that #ifndef ARDUINO_ESP8266_RELEASE_2_3_0 evaluates true in release 6.4.1, but it is not inserted in the headers output by the device

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 91
Connection: close

There are indeed no headers used by the ajax response.

Perhaps you could see it as a security measure; only the tasmota webclient can get to it...

You can always built your own firmware image enabling headers for the ajax response too. All you have to do is add the headers in function HandleRootStatusRefresh found in the latest dev versions.

Security enforced by the browser?!
You are not serious, are you?

Op vr 8 mrt. 2019 om 15:55 schreef Theo Arends notifications@github.com

There are indeed no headers used by the ajax response.

Perhaps you could see it as a security measure; only the tasmota webclient
can get to it...

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
https://github.com/arendst/Sonoff-Tasmota/issues/5410#issuecomment-470955522,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AO3fOZWdninJkUM-uX6TUe5ld6WAtM-Qks5vUnnQgaJpZM4bhkIG
.

Well at least it refrains you to get the info.

But I love your work and your firmware.
I really do not understand the problem.
And allowing Ajax call through browser greatly improves integration at
client level.

Op vr 8 mrt. 2019 om 15:57 schreef Theo Arends notifications@github.com

You can always built your own firmware image enabling headers for the ajax
response too. All you have to do is add the headers in function
HandleRootStatusRefresh found in the latest dev versions.

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
https://github.com/arendst/Sonoff-Tasmota/issues/5410#issuecomment-470956107,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AO3fOZLXLahMLB9KXQh6rjqoRsqQ0tRkks5vUnpAgaJpZM4bhkIG
.

It does not refrain met from getting the info: a direct request from the browser to the url works.
But I can't use the information in an AJAX call from a java page from a different source.

I sure hinders me. I could reconfigure my browser and all users of the
JavaScript should do the same to use it. Or I could introduce a proxy server only to
add the header line you for some reason do not want to add..

Sigh

Op vr 8 mrt. 2019 om 15:57 schreef Theo Arends notifications@github.com

Well at least it refrains you to get the info.

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
https://github.com/arendst/Sonoff-Tasmota/issues/5410#issuecomment-470956389,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AO3fOWVJqeXadXyBmErQiwC_OnQ-eTluks5vUnpugaJpZM4bhkIG
.

Positive note:

To go forward try to compile your own and add the required header at the correct position (see my answer above about function name). Once functional for you let me know and I might integrate.

Ok. I'll see if I can get the toolchain operational and go from there...

Ok, can be fixed easily by adding one line:

bool HandleRootStatusRefresh(void)
{

// add line below to include HTTP headers in response
WSHeaderSend(); // new line of code to fix issue
WSSend(200, CT_HTML, mqtt_data);
return true;
}

On Fri, Mar 8, 2019 at 4:09 PM Theo Arends notifications@github.com wrote:

Positive note:

To go forward try to compile your own and add the required header at the
correct position (see my answer above about function name). Once functional
for you let me know and I might integrate.

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
https://github.com/arendst/Sonoff-Tasmota/issues/5410#issuecomment-470960493,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AO3fOTZzyymYyGJYyzDXcD6BbdmEknsaks5vUn0pgaJpZM4bhkIG
.

Ok. Build and tested it and it works.
The ajax call now returns headers, including CORS header.
The browser now no longer block the AJAX cross site call and the javascript
dashboard can be build using the data retrieved from the device(s),

On Sat, Mar 9, 2019 at 3:35 PM Tijn tijntijn@gmail.com wrote:

Ok, can be fixed easily by adding one line:

bool HandleRootStatusRefresh(void)
{

// add line below to include HTTP headers in response
WSHeaderSend(); // new line of code to fix issue
WSSend(200, CT_HTML, mqtt_data);
return true;
}

On Fri, Mar 8, 2019 at 4:09 PM Theo Arends notifications@github.com
wrote:

Positive note:

To go forward try to compile your own and add the required header at the
correct position (see my answer above about function name). Once functional
for you let me know and I might integrate.

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
https://github.com/arendst/Sonoff-Tasmota/issues/5410#issuecomment-470960493,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AO3fOTZzyymYyGJYyzDXcD6BbdmEknsaks5vUn0pgaJpZM4bhkIG
.

Now that was fun ;-)

Thx for testing.

I see a lot of similar calls to WSSend(); without preceding call to
WSHeaderSend();
Didn't dive into it, but maybe you could consider sending headers in those
cases as well ...

On Sat, Mar 9, 2019 at 3:52 PM Theo Arends notifications@github.com wrote:

Now that was fun ;-)

Thx for testing.

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
https://github.com/arendst/Sonoff-Tasmota/issues/5410#issuecomment-471185441,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AO3fOd1WJQpXMJivHzCxRj3QI-U-ZplMks5vU8qfgaJpZM4bhkIG
.