Rest API CORS

supermew · March 26, 2022, 10:21pm

Hi,

I’m building a custom web frontend for configuring router os devices using their new rest API.
Is it somehow possible to set CORS headers for the www-ssl to allow HTTP requests directly from a custom-built website without an intermediate backend?

TheNetworkALCOHOLIC · May 9, 2022, 8:19am

Have you got any luck? seems like intermediate backend is needed.

TheNetworkALCOHOLIC · July 4, 2022, 4:32pm

I found a solution if yousing webpack or vite, just put a proxy set secure to false and changeorigin to true. it’ll work!

Amm0 · December 5, 2022, 8:09pm

I wrote a Dockerfile for /container that can do this using NGINX official container with CORS reverse proxy configuration. If it helps, see my forum posting:
“Mginx” Container - Reverse Proxy for CORS & X.509 support using Nginx

edit: I need to proofread my posts, “X.509” not X506, and “wrote”

xsmael · December 21, 2022, 3:16pm

Would you please give more details about how you did it? i need something of the like.

xsmael · December 21, 2022, 3:18pm

Would you please give more details about how you did it? i need to do something of the like.

pjkundert · September 29, 2023, 2:13pm

Wow, lack of CORS in the REST API really limits its utility!

We deal with hundreds of remote Routeros devices, connected via ZeroTier links.

Instead of our status web page being able to directly access the devices, we have to shuttle requests through a centralized CORS proxy.

Super inefficient, slow and wasteful…

Amm0 · September 29, 2023, 3:29pm

Yup. It really open some possibilities. “Wasteful” is a good term.

I have long wanted to include a static .html page in a branding kit, with some JS to directly invoke RouterOS from the page – no backend required, no container, and everything be local to CPE. But the lack of even a CORS “same-origin” mean some backend and/or CORS reverse proxy is required.

I did put in a formal feature request (SUP-99112) a while back, and got a “we will see what can be done here” a while back – so semi-positive news. Specifically I purposed have a checkbox to enable in /ip/services with along with list FQDNs for the “allowed origins” returned by REST API to maintain CORS’s schemes*. On client-side, still have to the CORS dance (e.g. includeCredentials: true etc in fetch()/XMLRequest/etc) - but those are solvable. The lack of CORS headers being returned from REST server is not.

* there are many CORS rules on client side, so cors-allowed-origin header cannot be “*” when using credentials & RouterOS requires creds (e.g. basic auth)…so REST API have to deal with the origins somehow

maxinieto · December 9, 2023, 12:12pm

How did you do it? I am stuck with my react app

Amm0 · December 9, 2023, 5:16pm

If you look at the post above the one you quote…

The choice of client-side framework doesn’t change how a web browsers enforce CORS. So unless Mikrotik adds CORS support, there is no way for client-side JavaScript to directly use fetch() or XMLHttpRequest() — React framework nor packaging tools can not change it.

Now nodejs does NOT enforce CORS rules. And Vite is just a development nodejs server, so that’s an option. But any backend will do (e.g. Express, Hapi, etc. or some serverless lambda). Key is the rest api calls to RouterOS happen in the nodejs backend, not the front-end JS/HTML – but the frontend must use that “intermediate backend” (e.g. a nodejs-based HTTP server) to reach the router REST API.