Understanding CORS on UPnP/DLNA browsing

问题

I've been playing around with home-grown UPNP/DLNA Browsing.

What I manage to do is a shell script based approach using curl to query the Server and xsl processing to make html pages out of the answers.

Next I thought I could build all this into javascript/kind of interactive browser page. But now I hit the CORS issue as the requests are preflighted by the browser (they are not preflighted when using curl and the server speaks no CORS, just UPnP). Some simplest code trying to get the root of the upnp tree:...

<html>
<head>
<script language="javascript">
function newx() {
    var h = new XMLHttpRequest();
    h.open("POST", "http://hcds6106:50001/ContentDirectory/control", true);

    h.onreadystatechange = processme;

    h.setRequestHeader("SOAPACTION",'"urn:schemas-upnp-org:service:ContentDirectory:1#Browse"');

    h.setRequestHeader("Content-Type", "text/xml; charset='utf-8'");

    h.send('<?xml version="1.0" encoding="utf-8"?><s:Envelope xmlns:ns0="urn:schemas-upnp-org:service:ContentDirectory:1" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><ns0:Browse><ObjectID></ObjectID><BrowseFlag>BrowseDirectChildren</BrowseFlag><Filter>*</Filter><StartingIndex>0</StartingIndex><RequestedCount>0</RequestedCount><SortCriteria /></ns0:Browse></s:Body></s:Envelope>');
}

function processme()
{
    alert(this.status);
}
</script>
</head>
<body onload="newx();"/>
</html>

Clearly the browser (Firefox 47.0) hits

Cross-Origin Request Blocked: The Same Origin Policy disallows reading 
the remote resource at http://hcds6106:50001/ContentDirectory/control.
 (Reason: CORS header 'Access-Control-Allow-Origin' missing).

Is there any reasonable way I can tell my browser to skip the CORS stuff in this case because the server was not made for it? For Firefox or any other common UserAgent? I can't believe it can be so simple without a browser and close to impossible to get it interactive inside browser.... TIA!

回答1:

Is there any reasonable way I can tell my browser to skip the CORS stuff in this case because the server was not made for it?

No.

If it was possible, then I could tell the browsers of visitors to my website to skip the CORS stuff and let me read their data from their online banking and webmail services as well as their company intranet.

来源：https://stackoverflow.com/questions/38946536/understanding-cors-on-upnp-dlna-browsing