[Question] Does luakit support no-cors?

[wsw70]

I have a case where I need to make a fetch from within an SPA to an endpoint that does not provide CORS headers. I am fine with making an opaque call using no-cors.

When testing my code on my laptop with Chrome, I get the expected behavior (a successful call to the backend without any response because of the nature of no-cors)
When moving the code to a server with Luakit the calls are not sent from the SPA (everything else works).
When making a direct curl call from that server it reaches the backend as expected.

It is not easy for me to debug on that server so before engaging in heavy-duty cables and connections reorganization I wanted to make sure that no-cors is supported by Luakit in the first place.

If this is the case (I am pretty sure that it is) I will go further with my tests.

[taobert]

Well, again, i don't really understand the technologies you're playing with, so the below may be unhelpful/incorrect.
My guess is no, but you may be able to add it without too much effort.

grep -ir cors on the luakit source returns nothing, and grep -ir secur returns nothing that looks interesting.
So, whatever luakit does is likely the webkitgtk default.
It looks like webkitgtk offers a webkit_set_security_policy_for_uri_scheme() which can set the policy to WEBKIT_SECURITY_POLICY_CORS_ENABLED. There are no hints in that manual about what the default might be.

:inspect doesn't give any hints?

[wsw70]

Well, again, i don't really understand the technologies you're playing with, so the below may be unhelpful/incorrect.

The idea behind CORS is that in order to make a HTTP call from JavaScript (nowadays with the fetch command), the browser will first send an OPTIONS call, retrieve the response headers, and check if these headers include some specific ones (notably Access-Control-Allow-Origin). If they are not present, the browser will abort the call.

So this is a security feature provided by the browser (and all the browsers I know implement it) so if a site you want to fetch() does not send these headers you have to start hacking around (going through a proxy that will add these headers for instance, or using some browser plugins).

There is one more workaround, which is to say to the browser "please make the call anyway but do not tell me anything about its result". This is called an opaque call and is driven by the no-cors option in the fetch() call. There are limited cases where this is interesting and I am in one of them (I just want to issue the call, it does not matter that I do not know if it succeeded or not)

:inspect doesn't give any hints?

I will give this a try tonight. So far I used Luakit only as a "programmatically driven browser" - it is in kiosk mode and there are no interactions with it (no keyboard nor mouse). I will plug these in tonight and see how it works (and learn about :inspect at the occasion)

[dpakkia]

Hi, I'm trying to setup a headless "kiosk" (more like a Linux-powered dashboard screen of sort) and the only browser with decent performance on my Raspberry Pi 1 B is luakit. I'd like to know if there's a solution to this, because my website (a GUI addon on top of Google Calendar's ICAL) needs CORS bypass. Thanks