A heads-up for anyone implementing Web App + HTTP WiFi provisioning in their products (like the mDash Smart Light example): Chrome support is going away
Here’s the unfortunate scoop:
In Chrome 94 Google released a new implementation of the Private Network Access (formerly CORS-RFC1918) spec. This restricts your ability to access an unsecure local address from a remote site.
In the Smart Light example the mDash ESP32 webserver exposes HTTP endpoints via 192.168.4.1 If you try to access this from a external site (e.g. a Web App hosted on mDash or elsewhere) Chrome will block it as a CORS violation. The error will look something like this:
Access to XMLHttpRequest at 'http://192.168.4.1/GetKey' from origin 'http://mysite.com' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space
You can read more about this in-depth here along with a temporary Chrome flag workaround, but that workaround expires in May 2020. Firefox and Safari seem to be working (for now).
- For those of you planning new products, strongly consider a different way to provision your WiFi credentials on your devices
- For those that already have products in the field, be prepared for some tech support calls on this
Either way, the days of Web App-based HTTP provisioning appear numbered.