MMM-Hue CORS Policy Issue

karsten13

you can test the following, I couldn’t test this completely but the cors error was gone in my tests.

First yo need to create own certs, go into the config folder of mm (same folder where config.js is located) and run this command:

openssl req -newkey rsa:4096 \
            -x509 \
            -sha256 \
            -days 3650 \
            -nodes \
            -out example.crt \
            -keyout example.key \
            -subj "/C=DE/ST=Hessen/L=Frankfurt/O=MagicMirror/OU=MM/CN=www.example.com"

Then edit your config.js and add the following lines under the line with var config = {

	electronOptions: {
		webPreferences: {
			webSecurity: false
		}
	},
	useHttps: true,
	httpsPrivateKey: "config/example.key",
	httpsCertificate: "config/example.crt",

(Re)Start mm and test if MMM-Hue works now (there will still be a “mixed content” warning).

mumblebaj

@karsten13 Awesome. That worked. Much appreciated for the assist.

Fozi

@karsten13 You are a genius! That worked for me, too! Thanks so much!

karsten13

@fozi thanks but … no

would be better to have a solution without https, may someone else gets this figured out.

As an improvement for the above solution with https:

Holding the certs in the config directory makes them accessible from outside so better move them into a new directory beside config, e.g. certs which is not exposed. Don’t forget to update config.js afterwards.

mumblebaj

@karsten13 So I have been tinkering with the MMM-Hue module a bit and have replaced jQuery which seems to invoke XMLHttpRequest, with node-fetch, albeit the older version (2.6.1) of node-fetch, but it now returns data without requiring a certificate and the use of https.

CarstenD

The same problem appears to happen with MMM-Homematic. Getting same errors after update to 2.18.0

Access to XMLHttpRequest at 'http://192.168.178.xx/addons/xmlapi/state.cgi?datapoint_id=1824' from origin 'http://0.0.0.0:8080' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space private.

karsten13

@carstend

yes, was already reporty by @Fozi some posts above, MMM-Homematic uses jquery too.

OberfragGER

@karsten13 Its working now with:

var config = 
{
  electronOptions: {
		webPreferences: {
			webSecurity: false
		}
	},
  useHttps: true,
  httpsPrivateKey: "config/example.key",
  httpsCertificate: "config/example.crt",
  address: "localhost", 
  port: 8080,
//  address: '0.0.0.0',
  ipWhitelist: ["127.0.0.1", "::ffff:127.0.0.1", "::1", "::ffff:192.168.178.1/120", "192.168.178.100/24"],
  language: 'de',
  modules: [

But with this setting, i have noc access the the RemoteControl-GUI and API also! ;(
I really use it with my homeautomation to show/ hide modules.

Is there another possibility?

karsten13

@oberfragger

you must access the site with https, e.g. https://192.168.0.143:8080/remote.html

CarstenD

There is now a new version available for MMM-Homematic that also works w/o changing the config.