-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS headers are not set when a HLS playlist is not yet available #1593
Comments
There is default Cors setting for this. If this doesn't work for 404 errors etc, it's a bug. I will fix this. Thanks for the report. |
@getroot I am running into this Issue as well. Setting Default CrossDomains does not seem to work and the Header is never filled (at least for Status 201, 404, and 401). |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
The CORS options in the configuration are meant to be applied to the vhost.
But they are not, they are only applied if a HLS playlist can be retrieved. While an HLS playlist is still pulled from the Origin, this causes 404 and later 201 ("Created") errors. That is fine.
However, for those 404 and 201s, the CORS headers are not set. This causes a browser security exception, which is also logged to the console. It also means that hls.js can not even see this error and respond to it ... the javascript exception will bubble up unhandled. If hls.js would receive the actual 404, it could handle it correctly.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Here are the headers sent for 404:
And here for the 201:
And finally, here are the headers for the HLS playlist being available:
As you can see, Access-Control-Allow-Headers and Access-Control-Allow-Origin headers are missing.
The suggested fix is to set those headers not in the HLS worker code, but directly inside the HTTP server code based on the vhost configuration, and no matter if an error is returned or a success.
The text was updated successfully, but these errors were encountered: