1

I've stumbled upon this question and had the thought that my application should not require CORS, since it is hosted on the same server (a raspberry pi).

However, since CORS is a security "feature" I'm also not sure if avoiding it would even be good or best practice. (I'm pretty sure it isn't)

My single page application is rather simple and dealing with CORS added a bit of complexity to it that seems unnecessary to a project of this scale.

The SPA is coded with VueJS and the backend API is a python Flask Server. VueJS is hosted using Nginx, api-calls to the flask server are made through uWsgi. CORS only popped up since the flask server sits on a different domain than the Frontend that sits in the browser. (from a network perspective)

As of now I haven't found a way to avoid CORS in my scenario, but when researching this it appears that configurations inside Nginx are the only way to approach this.

From my perspective, it is unnecessary to implement CORS. To explain, here is the concept of what the application does:

The frontend serves as a configuration, where board-type and the serial port is setup. Additionally there's also some customization to pin-names and pin's used in general.

For example:

BoardType: input Board IM8

Port: SER1

Pins: 2

pin1 -> input 3 - name: "I am input 3"

pin2 -> input 6 - name: "I am input 6"

This configuration is done on firepi.com/setup

Then when clicking on the Visualization link firepi.com/visualization an interface is generated based on the setup. Basically since it's an input board, 2 buttons are created which correspond to input 3 and input 6.

When the buttons are pressed, an ajax request to the Flask server is made, with the port & pin information. This will execute code on the flask server, which activates said pin on the attached board.

The flask server is hosted on the same device, just on a different port (5000): 127.0.0.1:5000

In all of this there's 2 types of API requests:

  1. is the /setup, where the board information is sent to the Flask server, so the GPIO's are configured properly. The configuration is needed because the board can be wired up in various ways.
  2. is the /visuals, where you can interact with the board pins that you have wired up.

Since the frontend and backend are both on the raspberry pi, I don't see a reason why CORS shouldn't be avoided.

I do however understand why it is required, since the browser executing the requests is a different domain than the hosted backend, which is on the RPi.

My question:

Am I able to avoid CORS in my scenario? And if so, should I do it?

What do I need to look into? Everything? Just Nginx configuration? Just Flask server? Maybe just how the server ports are setup?

I tried to avoid showing code in this question since I thought it will not be required to get answer it. Also it's a bit complicated to show all the code without explaining it.

HackXIt
  • 21
  • 1
  • 7
  • CORS is not about "same server". It is about "same domain name". If you use only one domain name, you probably don't need CORS, even if that domain name is served by more than a single server (load sharing, reverse proxying etc.). But, two distinct virtual hosts with different domain names will need CORS, even when hosted on the same server. Note: I feel this particular question could be right on Webmasters, not here. – Nikita Kipriyanov Oct 31 '19 at 19:03
  • Wasn't aware of the webmasters exchange, if you feel it is the better exchange for this question you can flag it for a Moderator to move it. But i do need to rephrase myself because also my Domain would be the same. – HackXIt Nov 01 '19 at 09:09
  • If everything is within the single FQDN, you will not be subject to same-origin policy restrictions. For cookies there could be a path restriction, but you are free to not to use it and it is not applicable to Javascript requests: https://stackoverflow.com/questions/576535/cookie-path-and-its-accessibility-to-subfolder-pages – Nikita Kipriyanov Nov 02 '19 at 16:55
  • Well, everything is within the same FQDN. Only the port changes. Or is the port also part of the FQDN? – HackXIt Nov 04 '19 at 18:21
  • I'm using this post for avoiding cors in chrome https://alfilatov.com/posts/run-chrome-without-cors/ – Alex Filatov Jan 13 '20 at 20:10
  • Thanks for the hint – HackXIt Jan 14 '20 at 14:36

0 Answers0