Can aria2 RPC Accept CORS Requests?

The aria2 RPC server can accept Cross-Origin Resource Sharing (CORS) requests, allowing web-based download managers and frontends to communicate with it directly from a browser. This capability is crucial for web interfaces like AriaNg or yaaw, which run in a browser environment and need to send commands to a locally or remotely running aria2 daemon. By utilizing specific command-line flags or configuration options, users can explicitly enable and configure CORS behavior to ensure secure and seamless communication.

Understanding aria2 RPC and CORS

By default, modern web browsers enforce the Same-Origin Policy, which prevents a web page from making requests to a different domain, protocol, or port than the one it was served from. Because aria2 typically runs as a background daemon (often on localhost:6800), a web frontend hosted on a public domain (like https://ariang.github.io) would normally be blocked from communicating with it.

To bypass this restriction safely, aria2 implements CORS, allowing the RPC server to include the necessary HTTP headers that tell the browser to permit the cross-origin requests.

How to Enable CORS in aria2

To allow web frontends to connect to your aria2 instance, you must configure the RPC server using the --rpc-allow-origin-all option. This flag instructs aria2 to add the Access-Control-Allow-Origin: * header to its HTTP responses, which permits any website to send RPC requests to your server.

Using the Command Line

You can enable this feature directly when starting the aria2 daemon from your terminal by appending the appropriate flag:

aria2c --enable-rpc --rpc-allow-origin-all

Using a Configuration File

If you prefer using an aria2.conf configuration file to manage your settings permanently, you can add the following lines:

# Enable the RPC server
enable-rpc=true

# Allow all origins (CORS)
rpc-allow-origin-all=true

Security Considerations

While enabling --rpc-allow-origin-all is necessary for web-based frontends to function, it does expose your aria2 RPC server to requests from any website you visit in your browser. To secure your setup and prevent unauthorized access or malicious downloads, you should always combine CORS enablement with RPC authentication.

• RPC Secret: Use the --rpc-secret=<SECRET> token option to require a password for all incoming requests.
• Secure RPC (HTTPS/WSS): If your frontend is hosted on a secure https:// website, the browser may block requests to an unencrypted http:// localhost RPC server due to mixed content restrictions. In such cases, you must configure aria2 with SSL certificates using the --rpc-secure=true, --rpc-certificate, and --rpc-private-key options to enable secure connections.