Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS headers are not set when a HLS playlist is not yet available #1593

Open
SceneCityDev opened this issue Apr 5, 2024 · 4 comments
Open

CORS headers are not set when a HLS playlist is not yet available #1593

SceneCityDev opened this issue Apr 5, 2024 · 4 comments
Assignees
@getroot
Labels
bug Confirmed as bug long-term fix Requires a long-term fix

Comments

@SceneCityDev
Copy link

The CORS options in the configuration are meant to be applied to the vhost.

But they are not, they are only applied if a HLS playlist can be retrieved. While an HLS playlist is still pulled from the Origin, this causes 404 and later 201 ("Created") errors. That is fine.

However, for those 404 and 201s, the CORS headers are not set. This causes a browser security exception, which is also logged to the console. It also means that hls.js can not even see this error and respond to it ... the javascript exception will bubble up unhandled. If hls.js would receive the actual 404, it could handle it correctly.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Here are the headers sent for 404:

wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:44:01--  https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 404 Not Found
  Content-Length: 0
  Keep-Alive: timeout=5, max=100
  Server: OvenMediaEngine
  Connection: Keep-Alive
  Content-Type: text/html
2024-04-05 17:44:06 ERROR 404: Not Found.

And here for the 201:

wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:45:39--  https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 201 Created
  Content-Length: 0
  Keep-Alive: timeout=5, max=100
  Server: OvenMediaEngine
  Connection: Keep-Alive
  Content-Type: text/html
Length: 0 [text/html]
Saving to: 'avc-auto_llhls.m3u8'

And finally, here are the headers for the HLS playlist being available:

wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:45:48--  https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Cache-Control: no-cache, no-store
  Access-Control-Allow-Methods: GET
  Content-Length: 850
  Access-Control-Allow-Credentials: true
  Content-Encoding: identity
  Access-Control-Allow-Headers: *
  Content-Type: application/vnd.apple.mpegurl
  Connection: Keep-Alive
  Server: OvenMediaEngine
  Keep-Alive: timeout=5, max=100
  Access-Control-Allow-Origin: *
  Vary: Origin
Length: 850 [application/vnd.apple.mpegurl]
Saving to: 'avc-auto_llhls.m3u8.1'

As you can see, Access-Control-Allow-Headers and Access-Control-Allow-Origin headers are missing.

The suggested fix is to set those headers not in the HLS worker code, but directly inside the HTTP server code based on the vhost configuration, and no matter if an error is returned or a success.
@getroot
Copy link
Member

getroot commented Apr 8, 2024

There is default Cors setting for this.

https://github.com/AirenSoft/OvenMediaEngine/blob/master/misc/conf_examples/Server.xml#L300C4-L303C19

If this doesn't work for 404 errors etc, it's a bug. I will fix this. Thanks for the report.

@Morpheus235
Copy link

@getroot I am running into this Issue as well. Setting Default CrossDomains does not seem to work and the Header is never filled (at least for Status 201, 404, and 401).

@getroot getroot self-assigned this Jun 3, 2024
@getroot getroot added the bug Confirmed as bug label Jun 3, 2024
@stale Stale
Copy link

stale bot commented Aug 2, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Aug 2, 2024
@stale stale bot closed this as completed Aug 9, 2024
@getroot getroot reopened this Aug 9, 2024
@stale stale bot removed the stale label Aug 9, 2024
@getroot getroot added the long-term fix Requires a long-term fix label Aug 9, 2024
@stale Stale
Copy link

stale bot commented Oct 19, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 19, 2024
@getroot getroot removed the stale label Oct 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@getroot getroot

Labels
bug Confirmed as bug long-term fix Requires a long-term fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@getroot @Morpheus235 @SceneCityDev