CORS headers are not set when a HLS playlist is not yet available #1593
Description
The CORS options in the configuration are meant to be applied to the vhost.
But they are not, they are only applied if a HLS playlist can be retrieved. While an HLS playlist is still pulled from the Origin, this causes 404 and later 201 ("Created") errors. That is fine.
However, for those 404 and 201s, the CORS headers are not set. This causes a browser security exception, which is also logged to the console. It also means that hls.js can not even see this error and respond to it ... the javascript exception will bubble up unhandled. If hls.js would receive the actual 404, it could handle it correctly.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
Here are the headers sent for 404:
wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:44:01-- https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 404 Not Found
Content-Length: 0
Keep-Alive: timeout=5, max=100
Server: OvenMediaEngine
Connection: Keep-Alive
Content-Type: text/html
2024-04-05 17:44:06 ERROR 404: Not Found.
And here for the 201:
wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:45:39-- https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 201 Created
Content-Length: 0
Keep-Alive: timeout=5, max=100
Server: OvenMediaEngine
Connection: Keep-Alive
Content-Type: text/html
Length: 0 [text/html]
Saving to: 'avc-auto_llhls.m3u8'
And finally, here are the headers for the HLS playlist being available:
wget -S https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
--2024-04-05 17:45:48-- https://hel1-edge7.scenecity.net/origin2/oldschooldemos/avc-auto_llhls.m3u8
Resolving hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)... 65.108.96.50
Connecting to hel1-edge7.scenecity.net (hel1-edge7.scenecity.net)|65.108.96.50|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Access-Control-Allow-Methods: GET
Content-Length: 850
Access-Control-Allow-Credentials: true
Content-Encoding: identity
Access-Control-Allow-Headers: *
Content-Type: application/vnd.apple.mpegurl
Connection: Keep-Alive
Server: OvenMediaEngine
Keep-Alive: timeout=5, max=100
Access-Control-Allow-Origin: *
Vary: Origin
Length: 850 [application/vnd.apple.mpegurl]
Saving to: 'avc-auto_llhls.m3u8.1'
As you can see, Access-Control-Allow-Headers and Access-Control-Allow-Origin headers are missing.
The suggested fix is to set those headers not in the HLS worker code, but directly inside the HTTP server code based on the vhost configuration, and no matter if an error is returned or a success.