Using js-ipfs through file:// protocol

osimar · January 29, 2021, 2:38am

Hi. Is there a way to use js-ipfs solely on the client side? E.g. via file:// protocol?
If not, is there a tutorial about how to use http-api via file:// protocol?

osimar · January 29, 2021, 3:41am

I’m trying this:

<script>
    fetch('http://127.0.0.1:5001/api/v0/object/data',
        {
            method: 'POST',
            mode: 'no-cors',
            headers: {
                'Accept': '*/*',
                'Content-Type': 'application/x-www-form-urlencoded'
            },
            body: "arg=QmeomffUNfmQy76CQGy9NdmqEnnHU9soCexBnGU3ezPHVH"
        }
    )
        .then((response) => response.text())
        .then(data => console.log(data))
        .catch((error) => {
            console.error(error)
        })
</script>

But it gives me “net::ERR_ABORTED 403 (Forbidden)”

lidel · January 29, 2021, 3:00pm

fetch requests sent from file:// will have Origin: null and that is why you get 403 Forbidden.

This is a security feature, blocking sandboxed iframes without allow-same-origin on regular websites from accessing HTTP API on your localhost. file:// happens to send the same Origin, and also gets blocked.

Rule of thumb: don’t use file://, instead load your page via a local HTTP server. That ensures correct Origin and enables you to leverage CORS for access control.

You don’t need to install Nginx to play with this, any one-line server will do.
For example, if you use Node:

npx http-server . -p 3000 -c-1

A longer list of similar one-liners can be found here.

osimar · January 29, 2021, 3:27pm

Thanks for the tips.
Will origin be null too if I access a page through ipfs:// on Brave?
I’m trying to make a dynamic one page web app that would read data from a block chain where the first block comes from IPNS

David

osimar · January 29, 2021, 5:03pm

lidel:

fetch requests sent from file:// will have Origin: null and that is why you get 403 Forbidden.

This is a security feature, blocking sandboxed iframes without allow-same-origin on regular websites from accessing HTTP API on your localhost. file:// happens to send the same Origin, and also gets blocked.

Rule of thumb: don’t use file://, instead load your page via a local HTTP server. That ensures correct Origin and enables you to leverage CORS for access control.

You don’t need to install Nginx to play with this, any one-line server will do.
For example, if you use Node:
npx http-server . -p 3000 -c-1
A longer list of similar one-liners can be found here.

I Just tried using a server and still got the same error. I wonder if I’m doing something wrong with the fetch API.

lidel · January 29, 2021, 5:58pm

When you access resources via ipfs:// then an unique Origin will be created for each content root (CID). You can inspect the origin of every web page via window.location.origin. This applies to https:// as well.

If you want your web page to have access to the API port of your local IPFS Node, you need to safelist that specific Origin via CORS.

For example, to allow API access to http://localhost:3000 you would set:

ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http://localhost:3000", "http://127.0.0.1:5001"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "POST"]'

Topic		Replies	Views
Configuring Access-Control-Allow-Origin Help	2	1819	March 21, 2018
IPFS Companion CORS on Javascript Fetch Help ipfs-companion	2	634	February 5, 2021
Unable to get a file using the js http api Help js-ipfs	4	1030	March 13, 2018
How can I call findProvs and findPeer from the client's browser? js-ipfs	4	453	July 25, 2021
Calling ipfs-html-client add on browser leads to CORS error IPFS js-ipfs	0	684	May 23, 2021

Using js-ipfs through file:// protocol

Related Topics