search

ajanata / PretendYoureXyzzy

A web clone of the card game Cards Against Humanity.
https://pretendyoure.xyz/zy
BSD 2-Clause "Simplified" License
1.23k stars 397 forks source link

Add CORS to the API #122

Closed Voltasalt closed 8 years ago

Voltasalt commented 9 years ago

The API is pretty much unusable now, as there is no CORS on it. It is therefore impossible to create a client in the browser (without owning your domain), since the Ajax same-origin policy breaks it. Obviously, you could just proxy the requests through another server, but that would break your sessions (since they seem to be tied to IPs), and IP banning... need I say more?

It only takes one HTTP header to enable it. I don't have any JSP/Tomcat/whatever experience, but it should be very easy to implement.

Voltasalt commented 9 years ago

Basically, add these headers to all responses:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true