search

evepraisal / go-evepraisal

the code that powers evepraisal.com
https://evepraisal.com
MIT License
147 stars 105 forks source link

CORS Question #79

Closed memphis88 closed 5 years ago

memphis88 commented 6 years ago

Hello. Thanks for the great work you have put into this. I'd like to know if the API will ever be CORS compatible so it can be consumed inside a browser. I think it makes great sense since ESI is also compatible and browser apps are becoming more and more a thing.

darandelic commented 5 years ago

I wrote a long post about what I learned trying to get the evepraisal api to work with angular. It's being blocked bcause of CORS. Long story short, the evepraisal server needs "Access-Control-Allow-Origin: *" set in the header reply in order for browsers to not block the API.

The firefox console is verbose:

"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://evepraisal.com/appraisal.json?market=jita&raw_textarea=avatar&persist=no. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)."

even GET doesn't work

"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://evepraisal.com/a/lexuu. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)."

sudorandom commented 5 years ago

I have decided not to do this in the short term for security concerns since the API is not cleanly separated from the frontend. To implement this correctly requires choosing where user cookies should be honored (and won't have CORs header sent) and which endpoints will disallow user's browser cookies and will have the CORs header sent. I will likely break existing clients which rely on setting the cookie if I just suddenly make this change.

Without more complicated changes enabling this option opens up the possibility for other websites to pretend to be users on evepraisal and make actions on behalf of the user with or without the user's knowledge. You will need to issue commands from a backend of your own and not rely on API requests from front-end browsers.

memphis88 commented 5 years ago

GTK, thanks for the info.

darandelic commented 5 years ago

thanks for looking in to it! As a work around, I did get "GET" to work - so people can go to evepraisal.com first, get the link, we can just use that. That's perfect for what we want, and people still get use evepraisal's site (which is WAY better than anything I can do!)