Category
Functional — something doesn't work as expected
Description
- rclone gui ignores or overwrites explicit --rc-allow-origin.
- It derives RC CORS from the GUI bind address.
- When the GUI binds to :4001, rclone normalizes that to http://[::]:4001.
- But http://[::]:4001 and http://localhost:4001 are different origins, so login from http://localhost:4001 to http://localhost:4000 fails.
Steps to reproduce
docker run -d --rm \
--name rclone-gui-cors-repro \
-p 4001:4001 \
-p 4000:4000 \
rclone/rclone:latest \
--rc-allow-origin=http://localhost:4001 \
gui \
--addr=:4001 \
--api-addr=:4000 \
--user=gui \
--pass=change-me \
--no-open-browser
curl -i -X OPTIONS 'http://localhost:4000/rc/noopauth' \
-H 'Origin: http://localhost:4001' \
-H 'Access-Control-Request-Method: POST' \
-H 'Access-Control-Request-Headers: authorization'
This will show:
Access-Control-Allow-Origin: http://[::]:4001
When it should be:
Access-Control-Allow-Origin: http://localhost:4001
Expected behavior
Access-Control-Allow-Origin should be what is specified with --rc-allow-origin not http://[::]:NNNN
Screenshots
No response
Environment
rclone v1.74.3
- os/version: darwin 15.7.7 (64 bit)
- os/kernel: 24.6.0 (arm64)
- os/type: darwin
- os/arch: arm64 (ARMv8 compatible)
- go/version: go1.26.4
- go/linking: dynamic
- go/tags: none
Category
Functional — something doesn't work as expected
Description
Steps to reproduce
This will show:
When it should be:
Expected behavior
Access-Control-Allow-Origin should be what is specified with
--rc-allow-originnothttp://[::]:NNNNScreenshots
No response
Environment
rclone v1.74.3