Description
Issue extracted from #722 (review)
Summary
Right now IPFS Desktop is automatically adding CORS headers to $IPFS_PATH/config:
Without the above, Web UI won't load.
We should look into ways we can make it work without the need for touching API.HTTPHeaders, eg. see how IPFS Companion deals with the same problem.
Background Discussion
@olizilla asked:
I wonder how this could be abused. A fake scheme is a neat trick, but I don't know enough to reason about how it could be exploited if we added it to the list of allowed origins. I guess a site would have have been loaded from the webui:// scheme. What happens if a web-ext is allowed to registered itself as handling that scheme?
What are our other options here?
My main concern is about updating the users config for an external daemon. @lidel what do you think?
@lidel suggested:
Actually.. we have a lot of control over the browser (request headers etc) in IPFS Desktop, just like we do in IPFS Companion. This means we should not need to set the CORS header in daemon.
Electron (Chromium engine) is adding
Origin: nullto fetch requests made fromwebui://and internal contexts to HTTP API which acts as a sort-of-false-positive trigger for CORS validation, resulting in403 Forbidden:
Note: IPFS Companion works around this by removing Origin header from requests sent to the API from js-ipfs-http-client running in its background page:
- https://github.com/ipfs-shipyard/ipfs-companion/blob/v2.6.2/add-on/src/lib/ipfs-request.js#L107-L144
This makes those requests "no longer CORS" in view of go-ipfs.
I believe if we add similar fix to IPFS Desktop the need fororigins.push(...)will disappear.
