Open CalldiDoctor opened 4 years ago
dnorth
commented
4 years ago +1 on this.
My use-case is that I am building a twitch overlay extension and it would be awesome if I could build it without a back-end. However as it stands I have to host a server that sits in-between the twitch extension front-end and the client api and just pass-through the data SOLELY to avoid CORS problems. Kind of a "feels bad" when it's literally the only reason I have to host a back-end.
akrolsmir
commented
4 years ago +1, http://runetiera.com currently asks our users to install a custom Chrome extension just to be able to bypass CORS and read the client API responses.
andranoxi
commented
4 years ago I really don't like the idea at all of ANY domains being whitelisted. If a user wants to use your service, they should consent to access by installing an extension or helper application or whatever. The LCU can be used for bad, and if a whitelisted domain decides "let's disenchant everyone's inventories," I don't see that going well.
I think it would be interesting to allow third party websites to get data directly from the client API.
The main benefit I see, in terms of security and user experience, is that users won't need to install any software, which could potentially be malicious. Thus, users could use deck trackers, or any other application, by just having a browser window open.
Of course, if CORS is enabled for any domain, that would also be a security issue, since a malicious website could, for instance, get game information without user's approval.
That's why I think adding a whitelist of domains could be a solution between the current scenario and allowing access from anywhere.