2015-02-05, 20:03
Does it make sense to support both JSONP and CORS?
2015-02-05, 22:17
They do not have the same purpose 
CORS is needed for proper streaming for example to allow subtitles and video to be served from XBMC on a Chromecast for example.
CORS is needed for proper streaming for example to allow subtitles and video to be served from XBMC on a Chromecast for example.
2015-02-05, 22:54
Another usecase for CORS is images, say you want to do canvas operations on images in a webapp which uses images from other source than what is serving the html/javascript you need CORS otherwise the image data is dirty. This would happen if you do a webapp serving html markup from something seperated from the kodi instance (say if we would host a webapp on kodi.tv for a remote and would want to blur a fanart on client).
If you have problems please read this before posting
Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.
"Well Im gonna download the code and look at it a bit but I'm certainly not a really good C/C++ programer but I'd help as much as I can, I mostly write in C#."
Always read the XBMC online-manual, FAQ and search the forum before posting.
Do not e-mail XBMC-Team members directly asking for support. Read/follow the forum rules.
For troubleshooting and bug reporting please make sure you read this first.
"Well Im gonna download the code and look at it a bit but I'm certainly not a really good C/C++ programer but I'd help as much as I can, I mostly write in C#."
2015-02-05, 23:25
See PR6352 for JSONP support.
I'll have to read more about CORS to be able to figure out how to determine if an "Origin" header is allowed or not.
I'll have to read more about CORS to be able to figure out how to determine if an "Origin" header is allowed or not.
2015-02-06, 10:41
For CORS there's 2 different things.
First a convenience things for user to allow sharing XBMC data (the Access-Control-Allow-Origin with either * or a configurable list) and / or jsonp.
Second a security usage when you'd have to check the origin header against the previously set parameter. (with high risk of compatibility breakage as 0 remote client for the moment does send the headers).
While the first would be quite welcome, the second IMO is not really urgent since there's other discussion on security that should be handled first.
Specially with webserver still lacking stability and more and more remote moving to TCP without authentication and users that open the 9090 port on internet without thinking about the risks.
First a convenience things for user to allow sharing XBMC data (the Access-Control-Allow-Origin with either * or a configurable list) and / or jsonp.
Second a security usage when you'd have to check the origin header against the previously set parameter. (with high risk of compatibility breakage as 0 remote client for the moment does send the headers).
While the first would be quite welcome, the second IMO is not really urgent since there's other discussion on security that should be handled first.
Specially with webserver still lacking stability and more and more remote moving to TCP without authentication and users that open the 9090 port on internet without thinking about the risks.
2015-02-06, 11:08
(2015-02-06, 10:41)Tolriq Wrote: Second a security usage when you'd have to check the origin header against the previously set parameter. (with high risk of compatibility breakage as 0 remote client for the moment does send the headers).This is only really a problem if we want to support a configurable list. As a first step we should probably add an "all or nothing" CORS setting in which case there's no additional logic required on the backend (apart from adding the necessary HTTP header).
(2015-02-06, 10:41)Tolriq Wrote: Specially with webserver still lacking stability and more and more remote moving to TCP without authentication and users that open the 9090 port on internet without thinking about the risks.Users opening port 9090 and allowing it to be accessed from the internet is their own problem and is not something that should be solved by Kodi. We have always taken the position that the security of the machine running Kodi is the responsibility of the user. The default setting is even not to allow connections from non-localhost to Kodi over TCP so users have to manually enable that.
That doesn't include the fact that we don't have any CSRF counter-measures in place for HTTP requests and that any JSON-RPC client can execute any JSON-RPC requests without any permissions etc.
2015-02-06, 13:05
It depends on the nothing handling on backend, if nothing disable all access without origin header it's a problem for users
For 9090 answer it's more or less the same as the 14.1 release for windows, disable webserver, if users can't use a feature but have another one that works they will use it.
(And the fact too that the setting is still labeled for remote and event server and not json on TCP 9090 as reported a few times)
Anyway I suppose we will continue to not agree on security and how users use XBMC, but while the Team post on G+ http://www.gadgetreview.com/2015/02/8-be...g-the-cord and are glad to be at 8, there's plex at 3 and only because plex have understood the need for multiple devices access and internet access.
I have numerous demands to make Yatse compatible with plex and / or the plex xbmc addon because lot's of users prefers kodi as client but needs plex for transcoding and internet access.
There's no a lot missing (apart the complex transcoding part) to have something that can be used, but security have to be taken in account on Kodi side.
For 9090 answer it's more or less the same as the 14.1 release for windows, disable webserver, if users can't use a feature but have another one that works they will use it.
(And the fact too that the setting is still labeled for remote and event server and not json on TCP 9090 as reported a few times)
Anyway I suppose we will continue to not agree on security and how users use XBMC, but while the Team post on G+ http://www.gadgetreview.com/2015/02/8-be...g-the-cord and are glad to be at 8, there's plex at 3 and only because plex have understood the need for multiple devices access and internet access.
I have numerous demands to make Yatse compatible with plex and / or the plex xbmc addon because lot's of users prefers kodi as client but needs plex for transcoding and internet access.
There's no a lot missing (apart the complex transcoding part) to have something that can be used, but security have to be taken in account on Kodi side.
2015-02-06, 13:09
(2015-02-06, 13:05)Tolriq Wrote: Anyway I suppose we will continue to not agree on security and how users use XBMC, but while the Team post on G+ http://www.gadgetreview.com/2015/02/8-be...g-the-cord and are glad to be at 8, there's plex at 3 and only because plex have understood the need for multiple devices access and internet access.
That's totally besides the point and we will beat Plex is most areas. That review is done by a SINGLE person and not be a couple of million vote. So who cares that he puts us 8th and Plex 3rd.
They have their advantages and we have a lot more. We serve a totally different user base and up to the user what he wants.
