abvadabra
commented
1 year ago Stackoverflow can explain this behaviour better than me:
When Site A tries to fetch content from Site B, Site B can send an Access-Control-Allow-Origin response header to tell the browser that the content of this page is accessible to certain origins. (An origin is a domain, plus a scheme and port number.) By default, Site B's pages are not accessible to any other origin; using the Access-Control-Allow-Origin header opens a door for cross-origin access by specific requesting origins.
Full answer: https://stackoverflow.com/questions/10636611/how-does-the-access-control-allow-origin-header-work
In our case that means that you shouldn't be making API requests directly from client's browser. Primarily because access token and app secrets are like passwords and shouldn't be exposed to unsafe environment (like the browser). Client side of your application should make requests to YOUR backend server, which in turn should call Stalcraft API server.
I assume that what you're trying to build is an SPA without any kind of backend, which is not something we support for now.
mihanc
Hi, what CORS needed for get access to your api. From Postman my request is passed. But from http client get error "CORS Missing Allow Origin"