Read the statement by Michael Teeuw here.
Electron Security Issues
-
Hi all, Is there a bigger issue with the CORS policy updates? I have noticed the below warnings in the Developer window.
The list goes. Are there any recommendations on how to get rid of this? The CORS policy update seems to be affecting other modules that now stopped working as the responses are being blocked.
Would downgrading the Electron version resolve this or is a lower version not compatible with v2.18?
-
@mumblebaj I don’t know the answers, but the insecure warning is because we use http
electron doesn’t know our usage model, and the web standards have changed to only use https.
-
Thanks @sdetweil. I have noticed that. Is there plans on making changes to align to https?
-
@mumblebaj https is SUCH a pain in the rear, as you have to create a certificate,
cert requires a registered domain name(with a ip address) , and almost never are free, and expire and …
and self signed certs are more trouble than they are worth…
and >98% of the mirrors are internal to the house/office so no one outside can access, and <10% have any app access to the local system, (remote control and such) …
CORS is controlled by the SERVER not the client… some servers are rejecting weird client browser types (MagicMirror, not chrome or firefox), and some don’t like the 0.0.0.0 address that gets sent,
and some modules are using request (which has a problem here, one of the reasons for its deprecation) and some modules are using axios/… which are enforcing more…
and electron is changing too… -
@sdetweil Yep, understood. node-fetch has also had some changes which could cause some issues in future. I am trying to see if I can fix the MMM-Hue module and it calls out to a bridge which sits on the local network and runs into this CORS issue. Other modules have the same issue. This is going to make module dev a bit difficult, but I am sure we will adapt. :smiling_face_with_sunglasses:
-
the warnings are normal, see https://github.com/electron/electron/blob/main/docs/tutorial/security.md#electron-security-warnings and you can disable them
I agree that
httpsis a pain but I think we will be forced to use itI am trying to see if I can fix the MMM-Hue module and it calls out to a bridge which sits on the local network and runs into this CORS issue.
I see no chance to do this in the module. I found a first (ugly) workaround and will post this in the other thread later …
-
Thanks @karsten13. Will await your post there. I am rewriting the module but am running into all kinds of issues. It is ugly. :-(
-
@sdetweil Have you seen these errors before? Mirror still starts though. I have just noticed it now as I usually start my mirror from the cron.
[04.01.2022 19:49.27.681] [LOG] Connecting socket for: MMM-Remote-Control [04.01.2022 19:49.27.686] [LOG] Starting node helper for: MMM-Remote-Control [04.01.2022 19:49.27.724] [LOG] Connecting socket for: calendar [04.01.2022 19:49.27.729] [LOG] Starting node helper for: calendar [04.01.2022 19:49.27.732] [LOG] Sockets connected & modules started ... [04.01.2022 19:49.29.057] [LOG] Launching application. [28306:0104/194931.715456:ERROR:viz_main_impl.cc(161)] Exiting GPU process due to errors during initialization [04.01.2022 19:49.33.896] [ERROR] ERROR! Could not find main module js file for MagicMirror-backup-restore [28425:0104/194936.968648:ERROR:viz_main_impl.cc(161)] Exiting GPU process due to errors during initialization [28481:0104/194939.078132:ERROR:viz_main_impl.cc(161)] Exiting GPU process due to errors during initialization [28499:0104/194939.733204:ERROR:sandbox_linux.cc(376)] InitializeSandbox() called with multiple threads in process gpu-process. -
@mumblebaj looks like MagicMirror-backup-restore is in the modules folder… should be in the users root, as it’s not a MagicMirror ‘module’
mv ~/MagicMirror/modules/MagicMirror-backup-restore ~ -
@sdetweil Thanks Sam. That sorted it.
-
Recently I have only started coding and therefore do not pay attention to security bugs at all. I hope that it is not interesting for anyone to hack into our computer.
-
-
@sdetweil And so it begins. Modules like the MMM-Hue and others that talk to internal devices on the local network is going to become a problem.
-
didn’t know this but I’m not surprised …
When this limitation is live the modules must send the new header, we will see which of them are still maintained …
-
So a LetsEncrypt wildcard certificate could help here (if you have a domain that is). But does MM even support running with a cert out of the box, or do you need to recode stuff?
-
@fribse there is support for certs. but most people don’t have a registered domain
I use dyndns.org to get a name back to my server on my dynamic address. it has changed a few times over the years, and I switched service providers too
-
with own domain I would recommend to run a reverse proxy in front of mm (and any other app) which handles the cert stuff automatically (as e.g. traefik). So you have not to deal with cert stuff in the apps behind the proxy.
-
@karsten13 I would normally agreee, but this is only to satisfy weird demands on SSL, not for any form of security and the mirror is not externally available.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login