Unable to make rest api request due to server not setting correct CORS rules.

I am working on a small local webpage to switch my digital switches by hand.

As the rest api documentation says I sent this request:

var xhttp = new XMLHttpRequest();
xhttp.open("GET", "http://ip/status", true);
xhttp.send();

Which my browser quickly blocks, since the data that is returned does not have the correct CORS headers. I can send a header from the client, like this:

xhttp.setRequestHeader("Access-Control-Allow-Origin", "*");

But even then the server does not reply with the correct headers, and the request is still bocked.

In the settings of the shelly wabpage I cannot find any information on how to turn on the correct CORS headers.

Thank you both for your replies.

I am indeed using http and not MQTT, but since they are basically the same it doesn´t matter for the request syntax.

I am not using other systems like iobroker, fhem, or home assistent. Because I don´t like how they work and they are too slow/large for the older devices that run the screens that these switches run on.

I have made my own simple webpage that communicates with a php server I have set up myself.

The issue is here that the shelly itself is not setting the correct header in the response to API requests. I assume that these other services just ignore this security issue and continue anyways, but since my webpages are running in up-to-date browsers I cannot circument this myself.

I do not know in what language your server is written in. But your response should always (for public facing apis) include this header: 'Access-Control-Allow-Origin: *'.

This is because a device that makes a request to this server first checks with that header whether or not it should allow the data to be loaded. For security purposes any up-to-date browser should not allow requests to a server that does not explicitly state (with this header) that this location may make a request.

According to this page here: <https://shelly-api-docs.shelly.cloud/#shelly1-1pm-relay-0>

I should be able to send a request like this: "http://<IP>/relay/0?turn=toggle" to toggle the shelly. And this does work, but the shelly webserver also returns some data: ¨{"ison":true, "has_timer":false}¨

The browser sees this data and attempts to read the Cross Origin Content Security header.

If this header contains something that is either the sameas my IP, OR is a * character (which means allow everything) the browser will let this response through.

If however, and this is what happens now, such header is not on the data. The browser will detect security issue, post this to the log, and error out the webrequest.

You could help me by:

Telling me where the source code for the firmware can be found. (I may be able to add it myself if it is open source)

Or tell the team that works on this firmware to add this header to the request.