Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle http answers after https requests #159

Closed
maxfscher opened this issue Jun 27, 2023 · 8 comments
Closed

Handle http answers after https requests #159

maxfscher opened this issue Jun 27, 2023 · 8 comments
Labels
question Further information is requested

Comments

@maxfscher
Copy link

Dear all,

we are recently experiencing an issue regarding the url that is used by the SLIM viewer to retrieve images from a DCM4CHEE PACS server. The problem is expressed as follows: The Slim Viewer is able to communicate with the DCM4CHEE pacs and extracts metadata of image series correctly. However, it fails to extract the requested pixel data and we get a view of the viewer that is similar to issue #142 .
We get an error message that indicates a mixed content problem, as shown in the attached image.
Screenshot from 2023-06-27 13-27-08
In the Network tab from the browser we can see, that the initial request from the viewer to the DCM4CHEE PACS was done via https,
Screenshot from 2023-06-27 13-26-04

which we also configure in the local.js file

var hostname=window.location.href.split("//")[1].split("/")[0]
console.log("Hostname: "+hostname)
window.config = {
  path: "/slim",
  /** This is an array, but we'll only use the first entry for now */
  servers: [
    {
      id: "local",
      url: "https://"+hostname+"/dcm4chee-arc/aets/KAAPANA/rs",
      write: true
    }
  ],

The PACS answers then via http and the connection is aborted due to an unsecure connection, which is also reasonable since mixed origin requests indicate unsecure connections.
Screenshot from 2023-06-27 13-26-32
We are having a pre-build container with SLIM version 0.4.1 lying around, which we integrated to the PACS server via the same local.js as config file and here everything works super fine with the connection to the PACS server.
From the logs we have seen that the error is thrown by DicomWebClient, which is installed as default by SLIM with version 0.8.4. A manual downgrade of the DicomWebClient, to 0.8.2, which was used for SLIM 0.4.1 (the version that works for us), did not help. Are there any other approaches to handle such unsecure connections and automatically transfer them into a secure connection by converting the http request into a https request?

@fedorov
Copy link
Member

fedorov commented Jun 30, 2023

@cgorman do you have any thoughts about this issue?

@cgorman
Copy link
Collaborator

cgorman commented Jul 6, 2023

@fedorov @maxfscher Yes, in my experience this is due to the VNA/PACS populating the bulkdataURI fields with its internal URL. We have run into this same problem at MGH and we don't really have a good way of fixing it unfortunately. If you set up a proxy it will still keep the incorrect URL in the field, but there may be some nginx magic to regex bulkdataURIs and replace them with the proxied URL.

@fedorov fedorov added the question Further information is requested label Jul 6, 2023
@fedorov
Copy link
Member

fedorov commented Jul 6, 2023

@maxfscher can you please try launching your browser in "insecure mode", which should take care of the CORS problem, and see if in that mode the image is loaded correctly?

@cgorman
Copy link
Collaborator

cgorman commented Jul 6, 2023

FYI the flag is --disable-web-security in chrome

@maxfscher
Copy link
Author

Hi thanks for your help. Yes indeed, with a proxy between the PACS and the viewer, the BulkdataURIs are served via http, even though they are requested via https. For us the CORS extensions did not solve any issues. However, adding the html element in the browser

http-equiv="Content-Security-Policy"
  content="upgrade-insecure-requests"

solves this problem. Adding this manually before each requests helps, or a static solution was for us to add this via a middleware constantly when using a proxy.
I am just curious if there exists also a way in the Viewer to catch these kind of cross-origin-conflicts.

@fedorov
Copy link
Member

fedorov commented Jul 7, 2023

solves this problem

Meaning you are able to see the image?

@cgorman
Copy link
Collaborator

cgorman commented Jul 13, 2023

Ok yeah we should be able to just add that content security policy header to requests made by the dicom microscopy viewer* if the URL provided by the configuration is https. I think it's fine since it only touches the protocol, and if an end user has further issues I think it would be the responsibility of the proxy server to handle more complex rewriting.

*I think this is where the change would need to be but I'll double check. Either way I'll link the PR to this issue.

cgorman added a commit that referenced this issue Jul 20, 2023
If any of the URLs start with https then we add the
Content-Security-Policy : upgrade-insecure-requests header to
DICOMwebClient requests. Addresses #159
igoroctaviano added a commit that referenced this issue Nov 1, 2024
* Added conditional content-security-policy header

If any of the URLs start with https then we add the
Content-Security-Policy : upgrade-insecure-requests header to
DICOMwebClient requests. Addresses #159

* Fix formatting errors

* Add config

* Add docs

---------

Co-authored-by: Igor Octaviano <[email protected]>
@igoroctaviano
Copy link
Collaborator

Addressed by: #160

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

4 participants