CORS header ‘Access-Control-Allow-Origin’ missing

[NickColley]

I have built a JavaScript API for the Search API and Content APIi, but there is an inconsistency between the two.

In Node.js both succeed as expected. In the browser only Search API succeeds. This is because Content API does not have the correct headers set to allow for client-side requests.

<script type="module">
  import { SearchAPI, ContentAPI } from "https://unpkg.com/@nickcolley/govuk";
  const searchApi = new SearchAPI();
  const searchItem = await searchApi.get("Register to vote")
  // Succeeds
  console.log({ searchItem })

  const contentApi = new ContentAPI();
  const contentItem = await contentApi.get("/Register-to-vote")
  // Fails
  console.log({ contentItem })
</script>

https://jsbin.com/cidexadexu/edit?html,console,output

Browser console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.gov.uk/api/content/Register-to-vote. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 404.

XHRGEThttps://www.gov.uk/api/content/Register-to-vote
CORS Missing Allow Origin

cc @kevindew thoughts on this? :)

[kevindew]

I don't think a need has ever come up before, I've opened https://github.com/alphagov/content-store/pull/1011 to add the header as it seems like it should allow this.

I can't make any guarantees for future consistency on this, I don't think anyone is taking our API offerings seriously as external resources.

[NickColley]

That is very reasonable, appreciate your time Kevin!

[aldavidson]

Can we close this issue since #1011 was merged?

[NickColley]

Yes it all is working!