search

PokeAPI / pokeapi

The Pokémon API
https://pokeapi.co
BSD 3-Clause "New" or "Revised" License
4.13k stars 931 forks source link

CORS - access-control-allow-origin hardcoded #654

Closed patryknawolski closed 3 years ago

patryknawolski commented 3 years ago

Steps to Reproduce:

  1. Clone this repository which utilizes graphql pokeapi
  2. Install dependencies via npm install
  3. Run development server via npm run dev
  4. Error should be visible under Network tab in Chrome Developer Tools

Error preview: https://imgur.com/a/yIqbC8G

Naramsim commented 3 years ago

That's not our repository. That's https://github.com/smokku/pokedex

We cannot do anything about it.

patryknawolski commented 3 years ago

I know @Naramsim, but this repo utilizes your API, do you have any idea why the request might have that access-control-allow-origin?

Naramsim commented 3 years ago

Yes

  1. we cache responses
  2. Hasura has a bug where it sets access-control-allow-origin to the Origin of the request. https://github.com/hasura/graphql-engine/issues/7566 (Just found out)
  3. a request hit PokeAPI
  4. it was cached with an access-control-allow-origin: beta.pokeapi.co
  5. the very same request (same body, same method) was fired on the third-party website
  6. you got the cached response

~I added in our Nginx conf another header add_header Access-Control-Allow-Origin *; So the latter (*) will have precedence and the error should be gone. I cleared the cache as well.~ I instructed Nginx to remove the header and add a new one with *.