Detecting and Using IPFS Desktop Node

[logasja]

I ran into this same issue recently when developing an extension with IPFS in the backend. CORS will not allow the http api to talk to the desktop daemon. I fixed this in my extension by changing the source of the request, but this involved capturing the request before it was sent. Anyone found a workaround?

[lidel]

Present

AFAIK there is no workaround.

API is very powerful and you don't want random websites to manage your node. Regular browser context respects CORS, so you need to explicitly safelist Origins that are allowed to talk to the API via Access-Control-Allow-Origin header:

$ ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["https://origin-you-want-to-safelist.example.com", "http://127.0.0.1:5001"]'

If you run JS in a browser extension, then just like you said, one can override Origin via webRequest API because browser extensions are privileged contexts. Regular browser context does not have that API, so CORS is the only way to make it work.

Future

We want to make local IPFS node useful for websites without giving full access to the API (meta issue: ipfs/in-web-browsers#158), but that requires figuring out more flexible access controls for the API (ipfs/kubo#1532), or creating something else, tailored specifically for use on the web.