How to allow requests to the FaceAPI web server from the several domains?

Issue

I need to allow requests to the web server from several domains.

Solution

You can specify various servers with FACEAPI_CORS_ORIGINS parameters, separating them with commas. No server is assigned by default, which means that the web browser allows requests to the web server from the same domain only.

Example

FACEAPI_CORS_ORIGINS FACEAPI_CORS_ORIGINS (https://192.168.0.1:41101,https://192.168.21.10:41101,https://192.168.45.110:41101). You can also specify an alternative port if it's different from the default 41101.

Comments

1 comment

Arturo Frappé Muñoz
September 12, 2023 08:07

Hello

I have a FaceAPI SDK Web, I'm trying to consume https://localhost:41101/api/ping from jQuery

But when I make the call, the FaceAPI blocks my requests.

Here is my .env file:

# modules

FACEAPI_ENABLE_IDENTIFICATION='false'

# FACEAPI_ENABLE_DEMO_WEB_APP='true'

#

# server config

FACEAPI_BIND='0.0.0.0:41101'

FACEAPI_WORKERS='1'

# FACEAPI_TIMEOUT='30'

# FACEAPI_BACKLOG='10'

# FACEAPI_HTTPS_PROXY='host:port' # do not specify protocol here

#

# https config

FACEAPI_HTTPS='true'

FACEAPI_CERT_FILE='certs/localhost.crt'

FACEAPI_KEY_FILE='certs/localhost.key'

#

# cors config

FACEAPI_CORS_ORIGINS='*'

FACEAPI_CORS_HEADERS='*'

FACEAPI_CORS_METHODS='*'

#

# logs section

FACEAPI_PROCESS_RESULTS_LOG_FILE='false'

# FACEAPI_LOGS_FORMATTER='text' # other options is 'json'

FACEAPI_LOGS_ACCESS_CONSOLE='true'

FACEAPI_LOGS_ACCESS_FILE='true'

# FACEAPI_LOGS_ACCESS_FILE_PATH='logs/access/facesdk-reader-access.log'

FACEAPI_LOGS_APP_CONSOLE='true'

FACEAPI_LOGS_APP_FILE='true'

# FACEAPI_LOGS_APP_FILE_PATH='logs/app/facesdk-reader-app.log'

# FACEAPI_PROCESS_RESULTS_LOG_PATH=''

# Liveness Settings

FACEAPI_LIVENESS_HIDE_METADATA='false'

FACEAPI_LIVENESS_GEN_1='true'

FACEAPI_LIVENESS_GEN_2='false'

........................................................................

Here is my PREFLIGHT request:

OPTIONS /api/ping?_=1694504946714 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Access-Control-Request-Headers: gemas-username
Access-Control-Request-Method: GET
Cache-Control: no-cache
Connection: keep-alive
Host: localhost:41101
Origin: https://test-sistemas.inami.gob.mx:8881
Pragma: no-cache
Referer: https://test-sistemas.inami.gob.mx:8881/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36

------

Here are the response headers:

HTTP/1.0 200 OK

Server: Werkzeug/2.2.3 Python/3.8.10

Date: Tue, 12 Sep 2023 07:49:07 GMT

Content-Type: text/html; charset=utf-8

Allow: OPTIONS, HEAD, GET

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Content-Security-Policy: default-src 'self' *.sentry.io; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://bat.bing.com https://*.clarity.ms https://www.clickcease.com https://consent.cookiebot.com https://consentcdn.cookiebot.com https://connect.facebook.net https://www.google.com https://www.google.de https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://js.intercomcdn.com https://snap.licdn.com https://widget.intercom.io https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; font-src 'self' data: https://fonts.gstatic.com https://js.intercomcdn.com; frame-src 'self' https://consentcdn.cookiebot.com https://www.facebook.com; frame-ancestors 'self'; form-action 'self' https://www.facebook.com https://regulaforensics.us12.list-manage.com; media-src 'self' data:; img-src 'self' data: https://*.bing.com https://*.clarity.ms https://downloads.intercomcdn.com https://www.facebook.com https://www.google.com https://www.google.de https://www.google-analytics.com https://googleads.g.doubleclick.net https://www.googletagmanager.com https://gtm-t9h3tx6-ntnhz.uc.r.appspot.com https://www.linkedin.com https://p.adsymptotic.com https://px.ads.linkedin.com https://q.quora.com https://static.intercomassets.com; child-src 'self' blob:; connect-src 'self' wss://nexus-websocket-a.intercom.io *.regulaforensics.com *.s3.eu-central-1.amazonaws.com *.execute-api.eu-central-1.amazonaws.com https://analytics.google.com https://api-iam.intercom.io https://*.clarity.ms https://consentcdn.cookiebot.com https://www.facebook.com https://www.google.com https://www.google-analytics.com https://googleads.g.doubleclick.net https://gtm-t9h3tx6-ntnhz.uc.r.appspot.com https://o557097.ingest.sentry.io https://stats.g.doubleclick.net https://uploads.intercomcdn.com

Strict-Transport-Security: max-age=31556926; includeSubDomains

Referrer-Policy: strict-origin-when-cross-origin

Access-Control-Allow-Origin: https://test-sistemas.inami.gob.mx:8881

Vary: Origin

Content-Length: 0

Connection: close

------------------------------------

How do I do not to get blocked my requests.

Thank you

0

Please sign in to leave a comment.

Issue

Solution

Example

Articles in this section