API calls on the PM1, CORS policy not set correctly

    Hi,

    I'm looking into the Shelly 1PM for the first time. I'm a software engineer myself, and I'm looking to call the data from an application I'm developing by myself.

    I see there's a setting called "Allow Cross-Origin Resource Sharing" under Internet & Security => Advanced - Developer Settings.

    Effectively this adds Access-Control-Allow-Origin * to each request. However this doesn't seem to be sufficient to allow the CORS. I'm getting the following error when calling {ip}/status:

    Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://192.168.2.4/status. (Reason: header ‘content-type’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).

    I think the response is still missing the header Access-Control-Allow-Headers.

    According to this answer on github that would be the solution(https://stackoverflow.com/questions/9459…gin-not-working), but it would be a software change for the Shelly 1PM.

    Has anyone had a similar issue?

    Would it be possible to manipulate the response headers from the Shelly 1PM.


    Best regards,

    Remsus

    :beer:

    I haven't tested GET Request via Javascript for quite a long time but allowing CORS is IMHO a dirty workaround. Whenever you built a solution the browser is restricting access more and more.

    If possible you should consider a server side solution with PHP, Python, or whatever you prefer as scripting language.

    Example in PHP:

    GitHub - shelly-tools/shelly-php-proxy-examples
    Contribute to shelly-tools/shelly-php-proxy-examples development by creating an account on GitHub.
    github.com

    >100 Shellies, darunter so gut wie alles was der Hersteller produziert hat. ;)
    :!: ich beantworte grundsätzlich keine Fragen per persönlicher Nachricht:!:

    Hi Seven of Nine,

    Thank you for your advice. ^^

    I think you're right. It seems a little tricky to call the endpoint from my web app. A self-owned back-end solution seems more clean, so I'll go for that. I read up a bit more about CORS and this generally seems to be the right solution.

    :beer: