Posts: 6,252
Joined: Jun 2009
Reputation:
115
da-anda
Team-Kodi Member
Posts: 6,252
would be a nice addition, but I'd probably not expose JSON_RPC to the world. Although things have been made a bit safer (only file access to defined shares) there could still be security issues, so be warned.
Posts: 7
Joined: Mar 2005
Reputation:
0
I agree that JSON RPC shouldn't be exposed to the world. I was more thinking of the ability to turn it on like you can turn on the web server. By turning on I mean to configure it so that only the web server you want can access it. And that's exactly what CORS meant to do.
Posts: 105
Joined: Nov 2010
Reputation:
1
Suven
Senior Member
Posts: 105
+1
I don't really see what makes it dangerous to activate COR for XBMCs JSON-RPC. It is completly accesable via GET and TCP.
If you were visiting a 'bad' site which tries to read/delete/modify your library your XBMC had to be running in that very moment + the site would need to guess XBMCs IP and know that you are using it anyway.
I also do not see why somebody should put effort in stealing this data. What would the attacker gain?
From my understanding same-origin exists to protect the user from a SITE B which tries to read contents of Site A. For example reading the contents of a bank-accounts dashboard when the user is logged in in it. But that always requires site B to know about the URL of site A, which is easy in Web, but hard in wild networks.
The header Access-Control-Allow-Origin: could also be set to something like 192.168.1.* (where the first 3 octets are fetched from xbmcs own IP). For me, that would be enough.
Posts: 4,549
Joined: Dec 2007
Reputation:
17
topfs2
Team-Kodi Developer
Posts: 4,549
Not saying it isn't a valid idea, just wondering why you'd need this?
You want to access json rpc (which exist on device B) on device A? So you have a webserver on A and access the data on B? I guess same device but different port would also be a usecase?
If you have problems please read
this before posting
Always read the
XBMC online-manual,
FAQ and
search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the
forum rules.
For troubleshooting and bug reporting please make sure you
read this first.
"Well Im gonna download the code and look at it a bit but I'm certainly not a really good C/C++ programer but I'd help as much as I can, I mostly write in C#."
Posts: 492
Joined: Dec 2006
Reputation:
5
Heh... I was just on IRC asking for this. It just requires a header to be set on the response to an "OPTIONS" call
Posts: 492
Joined: Dec 2006
Reputation:
5
Already started. It's not as trivial as I indicated since it needs the right response headers in the right requests and there's more than one. I was thinking of making it an advanced option?
As far as the use-case goes, I was looking for it because I want to host an angularjs based app to control my xbmc somewhere besides XBMC itself (including the details of what's in the library/images/fanart/etc). But then when you want make a selection "play" you need to issue a json-rpc request to a machine that's not hosting the app. Browser security prevents this unless the secondary host has the correct headers set.
That requires CORS or JSONP (I'm doing CORS because I've been able to track down how - if someone thinks JSONP is a better solution then let me know and point me to what it entails - thanks).
Posts: 4,549
Joined: Dec 2007
Reputation:
17
topfs2
Team-Kodi Developer
Posts: 4,549
2014-01-16, 10:13
(This post was last modified: 2014-01-16, 10:14 by topfs2.)
Agree with Montellese, if we can get CORS running we don't need JSONP.
Just as a reference, this is how JSONP works.
Basically you take the response you would otherwise send as json and put in a application/javascript file, were you call a callback with the given response.
So the response is { "result": "foo" } with JSONP you'd produce callback({ "result": "foo" });
Generally JSONP servers accept a param callback=foo which tells the server to do foo({ "result": "foo" }); instead.
EDIT: Do we need to make it a setting? Doesn't most of the bigger web servers enable it by default? Its a w3c sanctioned thing so afaik the security is fine?
If you have problems please read
this before posting
Always read the
XBMC online-manual,
FAQ and
search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the
forum rules.
For troubleshooting and bug reporting please make sure you
read this first.
"Well Im gonna download the code and look at it a bit but I'm certainly not a really good C/C++ programer but I'd help as much as I can, I mostly write in C#."
Posts: 6,252
Joined: Jun 2009
Reputation:
115
da-anda
Team-Kodi Member
Posts: 6,252
don't think we need a setting for it - any other tool can directly call JSONrpc without CORS or JSONp, it's only browsers that have the same-origin policy and need that workaround.
Posts: 4,549
Joined: Dec 2007
Reputation:
17
topfs2
Team-Kodi Developer
Posts: 4,549
And you could even do --disable-web-security on chrome and it will skip the CORS stuff, so feels unecessary for us as server to have an option.
If you have problems please read
this before posting
Always read the
XBMC online-manual,
FAQ and
search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the
forum rules.
For troubleshooting and bug reporting please make sure you
read this first.
"Well Im gonna download the code and look at it a bit but I'm certainly not a really good C/C++ programer but I'd help as much as I can, I mostly write in C#."
Posts: 492
Joined: Dec 2006
Reputation:
5
That's funny (how JSONP works) because I was thinking about a workaround in the app that would issue a jsonrpc request by building a <script> tag with angularjs except it appears you can't do JSON-RPC requests with a GET anymore.
No setting makes it easier so that's fine with me.