Hi,
I'm using the following JavaScript code in my Blazor app (
https://localhost:724 <https://localhost:7248/>8),but I'm encountering a
CORS error when I try to connect with guacamole.
*Js Code:*
window.authenticateGuacamole = async function (connectionId, token) {
// Create the correct URL by injecting the connectionId into the string
const url = `http://localhost:8081/#/client/${connectionId}`;
// Perform a fetch request to validate token or any other logic
(optional)
const response = await fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'guacamole-token': token
},
});
// Check if the response is ok (status 200-299)
if (response.ok) {
// Open the URL in a new tab
window.open(url, '_blank');
} else {
// Handle errors if necessary
throw new Error('Request failed with status ' + response.status);
}
};
*Cors error: *
Access to fetch at 'http://localhost:8081/#/client/mvrfh789jgh='
<http://localhost:8081/api/tokens%27> from origin 'https://localhost:7248'
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is
present on the requested resource. If an opaque response serves your needs,
set the request's mode to 'no-cors' to fetch the resource with CORS
disabled.
Thanks,
Pavithra
On Fri, 21 Feb 2025 at 00:05, Michael Jumper <[email protected]> wrote:
> On 2/20/25 10:06 AM, Nick Couchman wrote:
> > On Thu, Feb 20, 2025 at 12:10 PM pavithra vijayakumar
> > <[email protected] <mailto:[email protected]>> wrote:
> >
> > Hi Team,
> >
> > I hope this message finds you well. I am currently working on the
> > Guacamole project and am seeking your guidance regarding the
> > security of client connections within my Blazor application
> > (using .NET C# and JavaScript).
> >
> > At present, I am able to successfully establish a connection to
> > Guacamole through the URL format: |*https://{guacServer}/#client/
> > {connectionId}?token={authToken}*|. However, I am concerned about
> > the security implications of exposing the token in the URL. This
> > increases the risk of unauthorized access if the URL is copied and
> > shared.
> >
> > Additionally, I have encountered a *CORS issue* when attempting to
> > pass the token in the request header instead of the URL.
> >
> > Could you kindly advise on how to mitigate these security concerns,
> > prevent token exposure in the URL, and resolve the CORS issue?
> >
> > What version of Guacamole are you working with? In general, the token=
> > parameter was removed from Guacamole in the 1.4.0 release via this Jira
> > issue: https://issues.apache.org/jira/browse/GUACAMOLE-956 <https://
> > issues.apache.org/jira/browse/GUACAMOLE-956>.
> >
> > If you're still using or seeing the token= parameter, then you may be
> > using an older version of Guacamole, and upgrading will take care of a
> > lot of that.
> >
>
> For reference, the header used for the token since GUACAMOLE-956 is
> "Guacamole-Token".
>
> There are still a few locations where the old "token=" can be found,
> namely WebSocket where headers just aren't a possibility, but nearly all
> usages of the "token" query parameter have been replaced with
> corresponding usage of "Guacamole-Token".
>
> As for CORS, can you describe the issue you're encountering? What
> error(s) is your browser giving due to CORS? What CORS headers are you
> adding to the responses?
>
> - Mike
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
