Subject:
REST API: Enable CORS headers for web application compatibility
Description:
I'm developing a web-based SID music player (Ultimate64 Web Music Player) that uses the Ultimate64's REST API to browse and play music from HVSC. The app works great when hosted locally, but when served from HTTPS hosting (like GitHub Pages), modern browsers block the requests due to missing CORS headers.
The Problem:
Web browsers enforce a security policy called CORS (Cross-Origin Resource Sharing). When a web page served over HTTPS tries to access an HTTP resource on a different origin (like the Ultimate64 on the local network), the browser blocks the request unless the server includes specific headers in its response.
Currently, the REST API responses don't include CORS headers, which prevents web applications hosted on external servers from communicating with the Ultimate64.
Proposed Solution:
Add the following HTTP headers to all REST API responses:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Content-Length
For preflight (OPTIONS) requests, return a 200 OK with these headers.
Benefits:
Web-based tools - Enables development of web apps that control the Ultimate64 from any browser
Mobile access - Users can control their C64 from phones/tablets without installing apps
PWA support - Progressive Web Apps can be installed and used seamlessly
Community tools - Lowers the barrier for developers to create Ultimate64 integrations
No security risk - The Ultimate64 is already on a trusted local network; CORS headers just tell browsers it's intentional
Example Use Case:
My music player app (https://github.com/nesfrk81/Ultimate64WebMusicPlayer) lets users:
Search 50,000+ SID files from HVSC
Create playlists
Control playback from any device
It works perfectly in development (localhost), but users can't use the GitHub Pages hosted version because of CORS restrictions.
Technical Details:
The affected endpoints include:
PUT /v1/runners:sidplay - Play SID files
PUT /v1/machine:reset - Stop playback
GET /v1/info - Device information
Adding CORS is a minimal code change that would greatly expand what's possible with web-based Ultimate64 tools.
Thank you!
Subject:
REST API: Enable CORS headers for web application compatibility
Description:
I'm developing a web-based SID music player (Ultimate64 Web Music Player) that uses the Ultimate64's REST API to browse and play music from HVSC. The app works great when hosted locally, but when served from HTTPS hosting (like GitHub Pages), modern browsers block the requests due to missing CORS headers.
The Problem:
Web browsers enforce a security policy called CORS (Cross-Origin Resource Sharing). When a web page served over HTTPS tries to access an HTTP resource on a different origin (like the Ultimate64 on the local network), the browser blocks the request unless the server includes specific headers in its response.
Currently, the REST API responses don't include CORS headers, which prevents web applications hosted on external servers from communicating with the Ultimate64.
Proposed Solution:
Add the following HTTP headers to all REST API responses:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Content-Length
For preflight (OPTIONS) requests, return a 200 OK with these headers.
Benefits:
Web-based tools - Enables development of web apps that control the Ultimate64 from any browser
Mobile access - Users can control their C64 from phones/tablets without installing apps
PWA support - Progressive Web Apps can be installed and used seamlessly
Community tools - Lowers the barrier for developers to create Ultimate64 integrations
No security risk - The Ultimate64 is already on a trusted local network; CORS headers just tell browsers it's intentional
Example Use Case:
My music player app (https://github.com/nesfrk81/Ultimate64WebMusicPlayer) lets users:
Search 50,000+ SID files from HVSC
Create playlists
Control playback from any device
It works perfectly in development (localhost), but users can't use the GitHub Pages hosted version because of CORS restrictions.
Technical Details:
The affected endpoints include:
PUT /v1/runners:sidplay - Play SID files
PUT /v1/machine:reset - Stop playback
GET /v1/info - Device information
Adding CORS is a minimal code change that would greatly expand what's possible with web-based Ultimate64 tools.
Thank you!