Safari CORS problem

[thienpow]

if i am running the webpage on http://localhost:3000 it works for both Safari & Chrome & Firefox...
however if i am running the webpage on https://mydomain.com only Safari fail to connect to the go-ipfs daemon while all the other browser still work on the https://mydomain.com. I think the CORS header at the api got a different requirements or format that Safari ask for.

and actually it happen the same for https://webui.ipfs.io/ too... safari 13.1.1 would be rejected to gain access to the local go-ipfs daemon

in the mean time, Brave browser just works

in short, http://localhost:xxxx works on all browser, https://xxx.com only Safari would fail

and i think it's a very old problem for long...

https://stackoverflow.com/questions/16824661/cors-request-not-working-in-safari

Originally posted by @thienpow in #3130 (comment)

[welcome]

Thank you for submitting your first issue to this repository! A maintainer will be here shortly to triage and review.
In the meantime, please double-check that you have provided all the necessary information to make this process easy! Any information that can help save additional round trips is useful! We currently aim to give initial feedback within two business days. If this does not happen, feel free to leave a comment.
Please keep an eye on how this issue will be labeled, as labels give an overview of priorities, assignments and additional actions requested by the maintainers:

• "Priority" labels will show how urgent this is for the team.
• "Status" labels will show if this is ready to be worked on, blocked, or in progress.
• "Need" labels will indicate if additional input or analysis is required.

Finally, remember to use https://discuss.ipfs.io if you just need general support.

[thienpow]

https://www.chromestatus.com/feature/4539473312350208

i think this could be the problem, bcos i find that the api in the browser would generate a "same-origin" header... this obviously won't allow a webapp deployed on https to connect a local machine http://localhost:5001

[achingbrain]

Does this happen against js-ipfs too?

[thienpow]

just tried shooting up jsipfs daemon... same problem for Safari + Https...
localhost:5002/webui is working on all browser...
https://webui.ipfs.io only Safari would fail, while all other browser is working.

[jacobheun]

@lidel is this related to the localhost secure issues?

[lidel]

I believe this is unrelated. Seems Safari's CORS validation of public Origin follows different rules than Chromium/Firefox, but I don't own a Mac to confirm if the issue with CORS on https://webui.ipfs.io loaded in Safari is real.

@rafaelramalho19 – mind taking a look?

[rafaelramalho19]

@lidel I can confirm that I can replicate this issue on Safari only

This appears to be an old issue with Safari, and I couldn't find a direct approach to fixing this (https://stackoverflow.com/questions/39076180/https-page-was-not-allowed-to-run-insecure-content-from-safari-extension-uri)

[achingbrain]

This is not to do with CORs, this is because we're trying to access content in an insecure way from a secure location - the page is loaded over https but the API request is made over http.

You used to be able to turn this off as a Safari preference but it's been removed, which is probably for the best.

I'm going to close this, it's a duplicate of ipfs/ipfs-webui#1541