Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Fetch API with IPFS url's are blocked by cross-site tracking prevention

See original GitHub issue

Hi,

What i’m trying to do is download a file via javascript from IPFS. In my Brave browser i have a local node enabled and put the local gateway to that node. So i’m not running the brave build in IPFS node!

Now when you access a IPFS file the URL will be translated to a localhost one for the local gateway that is setup. This triggers the “Cross-site tracking” prevention shield and subsequently blocks the URL.

I am using the Fetch API here but i suppose using XMLHttpRequest would show the same issue. I haven’t tried that.

In your browser console (F12 -> console tab) type this:

let res = await fetch("https://ipfs.io/ipfs/bafkreidp3bolj5revf34mugbvmuir4k4lt6n2oys6mbu7piknyucktaonu")

You might need to wait a few seconds but it will eventually come back with this exact error:

VM340:1 GET http://localhost:8080/ipfs/bafkreidp3bolj5revf34mugbvmuir4k4lt6n2oys6mbu7piknyucktaonu net::ERR_BLOCKED_BY_CLIENT
(anonymous) @ VM340:1
Uncaught TypeError: Failed to fetch

Now if we try the exact same IPFS resource but with the IPFS protocol handles then it (weirdly…) works:

let res = await fetch("ipfs://bafkreidp3bolj5revf34mugbvmuir4k4lt6n2oys6mbu7piknyucktaonu")

This throws no error and works just fine. Which is ironic because this is likely internally translated to the very same localhost URL.

I suppose a fix would be to ignore localhost for the cross-site tracking prevention. Let me know if more information is needed, i’d be happy to help!

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:6

Top GitHub Comments

1reaction

markg85commented, Sep 25, 2021

Which is ironic because this is likely internally translated to the very same localhost URL. […] I suppose a fix would be to ignore localhost for the cross-site tracking prevention.

But you didn’t link to loclahost. You linked to https://ipfs.io/ and was surprised a different origin was treated as a different origin.

Exactly. One should probably not link to localhost for public sites, it kinda tends to not work unless everyone in the world uses IPFS nodes. We’re not in that ideal world yet so i linked to the one accessible by everyone (thushttps://ipfs.io/).

Your reply does make me wonder a bit as to what you mean? I can’t quite figure out if you agree with me that it’s a bug or if you think that i should’ve used localhost instead (the later would be wrong in my opinion).

0reactions

webelcommented, Oct 31, 2022

Also wondering how to get around this, don’t fancy the gateway solution but I guess that’s the way to go.

Top Results From Across the Web

Simple fetch and display using IPFS - CORS issue

The problem is with the browser, to protect from cross site request forgery attacks browsers don't allow requests from one origin(here being ...

Kubo command-line - IPFS Docs

API documentation for the Kubo command-line executable. ... You can now check what blocks have been created by: > ipfs object links ......

IPFS CORS error - Infura Community

I get an error in the pre-flight request. I tested in Chrome, Edge, FF. Access to fetch at ' https://ipfs.infura.io:5001/api/v0 ...

Cross-Origin Read Blocking (CORB)

In other words, CORB blocking should prevent CORB-protected response data from ever being present in the memory of the process hosting a cross-origin...

A Censorship Resistant Web Annotations System using IPFS ...

build our system: Web Annotation Data Model, Ethereum, and IPFS. 2.1 Ethereum. The Ethereum [14, 60] blockchain is the core building block ......