search

OPSkins / trade-opskins-api

API docs for trade.opskins.com
41 stars 19 forks source link

Access-Control-Allow-Origin: * #66

Closed herenickname closed 6 years ago

herenickname commented 6 years ago

It is impossible to write a single-page web application directly communicating with your API, because the browser does not allow to access your site.

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Voyager-Two commented 6 years ago

Hello,

What will you use this for? What will you do with endpoints that require an API key?

It's probably best to just do these requests on a backend server and front-end talks to your server instead.

Thanks

herenickname commented 6 years ago

Well, for example: http://ekifox.me/vgo/

Unfortunately, I need to use workarounds (CORS proxy) to work with your API.

DoctorMcKay commented 6 years ago

Do not ask users for their API keys.

herenickname commented 6 years ago

The key is not passed anywhere except your server. Check my code :(

DoctorMcKay commented 6 years ago

Doesn't change the fact that you're collecting user credentials.

DoctorMcKay commented 6 years ago

Also, you don't need the end-user's API key to retrieve inventories. Use your own API key and a backend server to make the request.

herenickname commented 6 years ago

It's more like excuses than real help with a request to solve the cross-domain query problem. In my case, it's not possible to use my backend, because it's does not exist. My site is hosted on the github pages. Even if I use my backend, why should I create an extra load on my server and my key. Suddenly, users will find some kind of loophole in your API, and I will be to blame. I globally wanted to make utility services for your api, where you can not only parse inventory, but apply all sorts of filters, for example.

DoctorMcKay commented 6 years ago

I assure you that if there were a legitimate reason to enable CORS for all domains, we would consider it. But collecting user credentials (even if you aren't sending them to your backend) is not acceptable under any circumstances.

We're glad that you want to build services around our API, but you need to be using your own key. It's a violation of the TOS for users to enter their API keys into your application. And it's especially a violation for you to be sending user API keys to an untrusted, third-party service, as you're doing now (even though you believe it to be "necessary").