Folding Forum

Posted: **Mon Dec 15, 2025 3:13 pm**

I got back to folding after some time spent crunching Mersenne primes, and being the eager tester that I am, I installed the v8.5.3 client. Then I opened my old trusty "Folding@Home In The Dark" client from LAR systems... Oops! No connection!

A quick peek into the browser networks tab & the client log show that the websocket api connections are being bounced for having a wrong Origin, originating in the Server::corsCB() code. Basically the browser sends an "Origin:" header with the websocket api connection made to 127.0.0.1:7396 (the FAH control websocket) explaining on which website's behalf it's making this connection. The FAH client side only lets the connection through when the origin is inside a whitelist.

By default the allowlist is:

Code: Select all

*\\.foldingathome\\.org http://((127.0.0.1)|(localhost))(:\\d+)?

so https://webclient.lar.systems, which isn't on it, is blocked.

To completely disable the check (quite risky! now any webpage can control your local FAH) in v8.5, edit the config.xml to say:

Code: Select all

<config>
  <allowed-origin-exprs v='.*'/>
</config>

To play it safe add it to the allow list, in theory, like this:
well. I actually could not get the below to work! THIS DOES NOT WORK AT ALL! IT BREAKS THE VANILLA CLIENT TOO!

Code: Select all

<config>
  <!-- whatever else you have now -->
  <allowed-origin-exprs v='https://webclient\.lar\.systems .*\\.foldingathome\\.org http://((127.0.0.1)|(localhost))(:\\d+)?'/>
</config>

PS: I have no idea why older versions did not trigger this check. The bulk of current corsCB() originated in 8.3.2 and I think it worked fine back then? Maybe my browser didn't send the header then? There was a slight change of the function in 8.5 in commit https://github.com/FoldingAtHome/fah-cl ... 21ab1a8705 and I think that's what made it serious.

PPS: Please someone tell me how to edit the allow list to something sensible. I do not want to run ".*" either and hell I don't want to tell people to do that. This is a dirty hack.

Posted: **Mon Dec 15, 2025 4:28 pm**

Hah! I've fixed it! The following works for playing it safe:

Code: Select all

  <allowed-origin-exprs v='https://webclient\.lar\.systems .*\.foldingathome\.org http://((127.0.0.1)|(localhost))(:\d+)?'/>

Gotta unescape by one level.

Posted: **Mon Dec 15, 2025 5:28 pm**

LAR probably did not enable 8.5 yet on their plugin. They are frequenting LTT forum

Posted: **Mon Dec 15, 2025 10:18 pm**

Side note: It is not a pluigin, it is their own web app. I don't know if it is open source.

Posted: **Mon Dec 15, 2025 10:21 pm**

calxalot wrote: ↑Mon Dec 15, 2025 10:18 pm Side note: It is not a pluigin, it is their own web app. I don't know if it is open source.

I know, I know. I'm brainfarting from time to time

Posted: **Mon Dec 15, 2025 10:21 pm**

My allow list is

Code: Select all

<allow v='127.0.0.1 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16'/>

This only because I use fahctl and lufah from another machine on local net.

Posted: **Mon Dec 15, 2025 10:22 pm**

muziqaz wrote: ↑Mon Dec 15, 2025 10:21 pm I know, I know. I'm brainfarting from time to time

You too, huh?

Posted: **Tue Dec 16, 2025 10:44 am**

Just to be clear...

muziqaz wrote: ↑Mon Dec 15, 2025 5:28 pm LAR probably did not enable 8.5 yet

the thing is, there's not anything for LAR to enable. the blocking is coming from the FAH client itself.

calxalot wrote: ↑Mon Dec 15, 2025 10:21 pm My allow list is
Code: Select all
<allow v='127.0.0.1 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16'/>
This only because I use fahctl and lufah from another machine on local net.

the old IP-based blocking still exists. the new thing is another layer that you need to configure.

Posted: **Tue Dec 16, 2025 11:01 am**

allowed-origin-exprs is newish.
allowed-origins has been there a while, but seemed maybe ignored for a few versions.
Or maybe it was partly something server-side.

I should probably test and update my local web control howto.

The CORS blocking generally will only affect web browsers, so I've been neglecting it.

Posted: **Tue Dec 16, 2025 11:11 am**

I emailed a link to your solution post to info@folding.lar.systems
I don't know if anyone is monitoring that email.

Edit: also messaged them on LTT forum
https://linustechtips.com/profile/66849 ... b=activity

Posted: **Tue Dec 16, 2025 5:37 pm**

Artoria2e5 wrote: ↑Tue Dec 16, 2025 10:44 am Just to be clear...

muziqaz wrote: ↑Mon Dec 15, 2025 5:28 pm LAR probably did not enable 8.5 yet
the thing is, there's not anything for LAR to enable. the blocking is coming from the FAH client itself.
calxalot wrote: ↑Mon Dec 15, 2025 10:21 pm My allow list is
Code: Select all
<allow v='127.0.0.1 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16'/>
This only because I use fahctl and lufah from another machine on local net.
the old IP-based blocking still exists. the new thing is another layer that you need to configure.

They had to tweak something in order for 8.4 to work. Similar thing might be required for 8.5

Posted: **Tue Dec 16, 2025 10:19 pm**

I don't think anything really changed with 8.5 api.
The timeseries was added for the top chart.

I think 8.4 started reporting "wu_progress" instead of "progress".

Posted: **Tue Dec 16, 2025 10:55 pm**

https://linustechtips.com/topic/902973- ... t=16840937

Folding Forum

HOWTO: Use third-party web controls on 8.5+

HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+

Re: HOWTO: Use third-party web controls on 8.5+