Local file content and CORS
Posted: Fri Oct 07, 2022 10:00 am
In CEF 88 it was possible to load local file content and generate cross-site requests just by specifying these flags
In CEF 104 it seems that even with these flags we can load the local content, but cross-site requests are blocked by CORS policy. I've tried adding
The Request Handling section referenced from #14 on the FAQ says that the correct way to deal with this is to either make a custom scheme, or intercept the requests and set them up as appropriate. So if I'm understanding this correctly, it sounds like the expected workflow is to
With regard to the last item, I tried using CefAddCrossOriginWhitelistEntry with my new scheme but this doesn't seem to override what the server says is allowed, so I'm not entirely sure I'm understanding what this function does.
I was able to get my client partially working by using a fake https url that I intercept and return the local file. This made it possible to generate the request and send along the cookies I needed because my fake url matched the expected scheme and domain from the server. I'm happy there is at least this way of doing things - but is there really not a way to force this stuff to work from the client side anymore or am I missing something?
I am mainly curious if this is a more future-proof way to handle this problem or if I am greatly over-complicating this. It seems like security changes are increasingly making it difficult to use this the way we have been for many years, but I guess that is the point.
- Code: Select all
command_line->AppendSwitch("allow-universal-access-from-files");
command_line->AppendSwitch("allow-file-access-from-files");
In CEF 104 it seems that even with these flags we can load the local content, but cross-site requests are blocked by CORS policy. I've tried adding
- Code: Select all
command_line->AppendSwitch("disable-web-security")
The Request Handling section referenced from #14 on the FAQ says that the correct way to deal with this is to either make a custom scheme, or intercept the requests and set them up as appropriate. So if I'm understanding this correctly, it sounds like the expected workflow is to
- Stop using file://
- Intercept / add scheme
- Update server side to allow access for whatever this new scheme is in Access-Control-Allow-Origin
With regard to the last item, I tried using CefAddCrossOriginWhitelistEntry with my new scheme but this doesn't seem to override what the server says is allowed, so I'm not entirely sure I'm understanding what this function does.
I was able to get my client partially working by using a fake https url that I intercept and return the local file. This made it possible to generate the request and send along the cookies I needed because my fake url matched the expected scheme and domain from the server. I'm happy there is at least this way of doing things - but is there really not a way to force this stuff to work from the client side anymore or am I missing something?
I am mainly curious if this is a more future-proof way to handle this problem or if I am greatly over-complicating this. It seems like security changes are increasingly making it difficult to use this the way we have been for many years, but I guess that is the point.