Bypass CORS for post requests from localhost to zotero connector listening on 23119

174 views
Skip to first unread message

tankwyn

unread,
Aug 25, 2023, 2:30:35 PM8/25/23
to zotero-dev
Hi everyone, I was trying to make a plugin for WPS to enable citing with zotero and I intend to do it with the HTTP citing protocol. However, the WPS plugin is client javascript and the fetch requests are blocked by CORS:

Access to fetch at 'http://127.0.0.1:23119/connector/document/execCommand' from origin 'http://127.0.0.1:3889' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. 

The 3889 port binds to the wpsjs debug server. The origin is 'file://' when deployed offline, but still gets blocked. So, is the connector only meant to be used by Google Docs and not even allow local access? Or, is there any workaround to this?

Dan Stillman

unread,
Aug 28, 2023, 4:13:10 AM8/28/23
to zoter...@googlegroups.com
The Zotero Connector has host permissions, so it's not subject to the same-origin policy.

Can you explain the environment you're running this in? Are you not able to just bypass CORS (e.g., by modifying headers for these requests and faking the CORS response)? If you're running locally, presumably this is privileged code of some sort, so I would think you could do what you needed to do here without normal browser security features getting in the way.

tankwyn

unread,
Aug 30, 2023, 5:11:23 PM8/30/23
to zotero-dev
The js plugins in WPS are loaded from index.html, not as browser extensions, its plugin system is a chromium so I can't fake CORS response. I'm currently using an external program to make the requests, being wondering if there's a way to whitelist localhost or something.
Reply all
Reply to author
Forward
0 new messages