Allow accessing public shares with CORS

[pojntfx]

Explain the Problem

I'm trying to access a public WebDAV share as described in https://docs.nextcloud.com/server/20/user_manual/en/files/access_webdav.html#accessing-public-shares-over-webdav.

Steps to Reproduce

1. Add origins using web interface: http://localhost:15755,http://localhost:15755/
2. Make fetch request with hash of share as username:

fetch("https://nx904.your-storageshare.de/public.php/webdav/", {
  "headers": {
    "accept": "application/xml,text/xml",
    "authorization": "Basic cEZBOFBUd0NtSnlTVERqOg==",
    "content-type": "application/xml;charset=UTF-8",
    "depth": "1",
    "sec-ch-ua": "\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"90\", \"Google Chrome\";v=\"90\"",
    "sec-ch-ua-mobile": "?0"
  },
  "referrer": "http://localhost:15755/",
  "referrerPolicy": "strict-origin-when-cross-origin",
  "body": "<d:propfind xmlns:d='DAV:'>\n\t\t\t<d:prop>\n\t\t\t\t<d:displayname/>\n\t\t\t\t<d:resourcetype/>\n\t\t\t\t<d:getcontentlength/>\n\t\t\t\t<d:getcontenttype/>\n\t\t\t\t<d:getetag/>\n\t\t\t\t<d:getlastmodified/>\n\t\t\t</d:prop>\n\t\t</d:propfind>",
  "method": "PROPFIND",
  "mode": "cors",
  "credentials": "include"
});

3. The request fails due to CORS:

Access to fetch at 'https://nx904.your-storageshare.de/public.php/webdav/' from origin 'http://localhost:15755' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
wasm_exec.js:399 PROPFIND https://nx904.your-storageshare.de/public.php/webdav/ net::ERR_FAILED

It works using plain curl:

$ curl 'https://nx904.your-storageshare.de/public.php/webdav/' \
>   -X 'PROPFIND' \
>   -H 'sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"' \
>   -H 'sec-ch-ua-mobile: ?0' \
>   -H 'authorization: Basic cEZBOFBUd0NtSnlTVERqOg==' \
>   -H 'content-type: application/xml;charset=UTF-8' \
>   -H 'accept: application/xml,text/xml' \
>   -H 'Referer: http://localhost:15755/' \
>   -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36' \
>   -H 'depth: 1' \
>   --data-raw $'<d:propfind xmlns:d=\'DAV:\'>\n\u0009\u0009\u0009<d:prop>\n\u0009\u0009\u0009\u0009<d:displayname/>\n\u0009\u0009\u0009\u0009<d:resourcetype/>\n\u0009\u0009\u0009\u0009<d:getcontentlength/>\n\u0009\u0009\u0009\u0009<d:getcontenttype/>\n\u0009\u0009\u0009\u0009<d:getetag/>\n\u0009\u0009\u0009\u0009<d:getlastmodified/>\n\u0009\u0009\u0009</d:prop>\n\u0009\u0009</d:propfind>' \
>   --compressed
<?xml version="1.0"?>
<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:oc="http://owncloud.org/ns" xmlns:nc="http://nextcloud.org/ns"><d:response><d:href>/public.php/webdav/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype><d:getetag>&quot;608923d732f31&quot;</d:getetag><d:getlastmodified>Wed, 28 Apr 2021 08:59:03 GMT</d:getlastmodified></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:displayname/><d:getcontentlength/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response><d:response><d:href>/public.php/webdav/2021/</d:href><d:propstat><d:prop><d:resourcetype><d:collection/></d:resourcetype><d:getetag>&quot;608923d732f31&quot;</d:getetag><d:getlastmodified>Wed, 28 Apr 2021 08:59:03 GMT</d:getlastmodified></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat><d:propstat><d:prop><d:displayname/><d:getcontentlength/><d:getcontenttype/></d:prop><d:status>HTTP/1.1 404 Not Found</d:status></d:propstat></d:response></d:multistatus>

System Information

• WebAppPassword app version: 21.3.0
• Nextcloud version: 20.0.9
• Cron type: / (Hosted by Hetzner)
• PHP version: / (Hosted by Hetzner)
• Database and version: / (Hosted by Hetzner)
• Browser and version: Chrome 90, Firefox 88
• Distribution and version: Fedora Linux 34

Contents of nextcloud/data/nextcloud.log

Paste output here

(No access to logs, hosted by Hetzner)

Contents of Browser Error Console

Read http://ggnome.com/wiki/Using_The_Browser_Error_Console if you are unsure what to put here

Access to fetch at 'https://nx904.your-storageshare.de/public.php/webdav/' from origin 'http://localhost:15755' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
wasm_exec.js:399 PROPFIND https://nx904.your-storageshare.de/public.php/webdav/ net::ERR_FAILED

[pbek]

Contents of nextcloud/data/nextcloud.log

Don't you have logs in your Nextcloud admin console? Something like https://nx904.your-storageshare.de/settings/admin/logging

[pbek]

fetch("https://nx904.your-storageshare.de/public.php/webdav/", {

where are you making this request? In a browser on your http://localhost:15755 webpage?

[pbek]

It works using plain curl:

curl hasn't the same restrictions as a web-browser

[pbek]

wasm_exec.js

Are you using web assembly to run the fetch? I've no idea what the browser restrictions are in that case...

[pojntfx]

@pbek Thanks for the quick response! Logs are just empty, even with an admin account - hosting restrictions. For the questions:

1. The request is made from origin http://localhost:15755
2. Exactly - I just wanted to isolate it down to a CORS and not an authentication etc. problem
3. Yes, it is WASM (Go)! There are no restrictions here though and running the plain fetch call/calling the DOM yields the same error.

I've also found a (hacky) workaround; the app I'm building (https://github.com/pojntfx/growlapse) uses a Go agent to export IoT image data to a WebDAV share, and I'm then trying to visualize this data with a WASM frontend. Using read-only guest users I was able to just share access to a guest user and have functionally the same effect (read-only access to a directory from the browser): https://github.com/pojntfx/growlapse/blob/main/docs/backend_nextcloud.md.

A working version of my hacky workaround (using a read-only guest user; trying to access /; see the "Network" tab of your browser for the successful request): https://pojntfx.github.io/growlapse/?webDAVPassword=Growlapse&webDAVURL=https%3A%2F%2Fnx904.your-storageshare.de%2Fremote.php%2Fdav%2Ffiles%2Ffelix.pojtinger%40gmail.com%2F&webDAVUsername=felix.pojtinger%40gmail.com

[pbek]

Like I said, I've no idea how CORS is handled inside WASM in a browser.
And I don't think that you simply can spoof the referrer in the fetch command, like you did above.
What happens when you remove the two referrer parameters?

And did you try the example from https://github.com/digital-blueprint/webapppassword#example? It also uses fetch.

[pbek]

After all CORS is something your web browser enforces, not the Nextcloud server. webapppassword only attempts to set some headers (hoping that hetzner doesn't override them, you should see those preflight requests in your web inspector) that tells your browser that it is ok to let the request through when it is coming from a certain origin.

[pojntfx]

CORS inside WASM is the same as CORS w/o WASM, it simply binds to the DOM API - there should be no difference, any manually executing the request yields the same error. The command above is from the developer tools, not manually constructed by me - it's the request that Chrome sends. Removing the headers doesn't change anything, as you've already pointed out. The example you've given doesn't allow me to specify a user manually, but rather seems to use OAuth, which is not how the public share API works (Nextcloud wants the ID of the share as the username and no password)

[pbek]

CORS inside WASM is the same as CORS w/o WASM, it simply binds to the DOM API - there should be no difference

then what do you see in the network log of your browser? there should be response headers with access-control-allow-origin telling you what origins are allowed and there should be OPTION requests done by your browser...

[pbek]

but rather seems to use OAuth

username/password in https://github.com/digital-blueprint/webapppassword/blob/master/docs/example/index.html#L100

[pojntfx]

username/password in https://github.com/digital-blueprint/webapppassword/blob/master/docs/example/index.html#L100

Thanks; setting it there doesn't seem to fix it though:

const webdavUrl = "https://nx904.your-storageshare.de/public.php/webdav";

    const headers = new Headers();
    headers.set('Authorization', 'Basic ' + btoa("wWfAA3sMSoyfgJB" + ":"));

    fetch(webdavUrl + "/", {
        method: 'PROPFIND',
        cache: 'no-cache',
        headers: headers
    })

Using the plain example works of course, but the WebDAV URL returned by the app is https://nx904.your-storageshare.de/remote.php/dav/files/felix.pojtinger--administrator/ which is of course not the public share one wants to access.

Pasting davs://wWfAA3sMSoyfgJB@nx904.your-storageshare.de/public.php/webdav into Nautilus' address field and using an empty password works and returns the read-only share.

[pbek]

What are the response and request headers of those two red requests?

[pojntfx]

For the first one:

For the second one:

[pbek]

You don't get the response headers... They are supposed to look like: