Working locally with XMLHttpRequest

[happybeing]

Operation System: Linux Beaker Version: 0.3.0

I want to check my current App works in Beaker before switching from direct requests to safe-js so I have a local server http://localhost:8000 and am using for the launcher endpoint, and hitting a same-origin issue when making the /auth request. Here's the console:

XMLHttpRequest cannot load http://localhost:8100/auth. 
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'http://localhost:8000' is therefore not allowed access.

Looking at the network tab I'm not sure what causes this. Is it a browser default to enforce same origin here?

[joshuef]

It is indeed. Unless the launcher API were to include 'Access-Control-Allow-Origin' headers we're going to run into this as you're requesting from a different host.

One work around is via a reverse proxy, setting up a local domain for development and then forwarding requests to the API. Though I appreciate that's a bit annoying.

Inside of beaker right now, it's possible to disable 'websecurity' for pages, which will allow X Origin requests through.

(You can add this el.setAttribute('disablewebsecurity', true) to line 650 of app/shell-window/pages.js to enable it for the moment, if you want to compile from source)

For dev convenience I'll see about adding a menu toggle for this in the Beaker Dev menu.

[happybeing]

OK, great, thanks.

One thing I'm not clear about because the API docs still refer to needing a proxy, is what API endpoint to use for deployment? (Again, when not using safe-js)

[happybeing]

Conclusion: after slack chat with Josh...

Direct HTTP access to SAFE Launcher API is not supported by SAFE Beaker. You must use safe-js only.

This is because the cross origin policy necessary for security (enforced within Beaker) means that access to SAFE Launcher via localhost:8100 will not work, because it breaks this policy and causes CORS errors.