Local file content and CORS

Having problems with building or using CEF's C/C++ APIs? This forum is here to help. Please do not post bug reports or feature requests here.

Local file content and CORS

Postby skpjoe » Fri Oct 07, 2022 10:00 am

In CEF 88 it was possible to load local file content and generate cross-site requests just by specifying these flags
Code: Select all
command_line->AppendSwitch("allow-universal-access-from-files");
command_line->AppendSwitch("allow-file-access-from-files");

In CEF 104 it seems that even with these flags we can load the local content, but cross-site requests are blocked by CORS policy. I've tried adding
Code: Select all
command_line->AppendSwitch("disable-web-security")
but that seems to do nothing despite many stackoverflow posts that indicate the flag still works if you pass user-data-dir and/or disable site isolation as well (didn't work me for me at least).

The Request Handling section referenced from #14 on the FAQ says that the correct way to deal with this is to either make a custom scheme, or intercept the requests and set them up as appropriate. So if I'm understanding this correctly, it sounds like the expected workflow is to
  • Stop using file://
  • Intercept / add scheme
  • Update server side to allow access for whatever this new scheme is in Access-Control-Allow-Origin

With regard to the last item, I tried using CefAddCrossOriginWhitelistEntry with my new scheme but this doesn't seem to override what the server says is allowed, so I'm not entirely sure I'm understanding what this function does.

I was able to get my client partially working by using a fake https url that I intercept and return the local file. This made it possible to generate the request and send along the cookies I needed because my fake url matched the expected scheme and domain from the server. I'm happy there is at least this way of doing things - but is there really not a way to force this stuff to work from the client side anymore or am I missing something?

I am mainly curious if this is a more future-proof way to handle this problem or if I am greatly over-complicating this. It seems like security changes are increasingly making it difficult to use this the way we have been for many years, but I guess that is the point.
skpjoe
Newbie
 
Posts: 5
Joined: Fri Sep 30, 2022 9:04 pm

Re: Local file content and CORS

Postby magreenblatt » Fri Oct 07, 2022 10:52 am

I was able to get my client partially working by using a fake https url that I intercept and return the local file.

That is the most future-proof approach.
magreenblatt
Site Admin
 
Posts: 12382
Joined: Fri May 29, 2009 6:57 pm


Return to Support Forum

Who is online

Users browsing this forum: No registered users and 33 guests