CORS policy API - Githubissues

n-y-z-o / nyzoVerifier

Verifier for the Nyzo cryptocurrency

The Unlicense

73 stars 42 forks source link

CORS policy API #18

Closed benjaminvanrenterghem closed 4 years ago

benjaminvanrenterghem commented 4 years ago

This is a proposal to add a **Access-Control-Allow-Origin=*** header to the API endpoints. This would allow a wider variety of applications to use the API.

While a browser extension may be an exception to the rule in that it allows such requests to take place (and it is peculiar that it does), most modern day browsers actively enforce the CORS policy and local requests can't be made to the API endpoints.

On the right, the request from the Nyzo tip extension, which doesn't get blocked by CORS policy. On the left, the request from a local index.html file, which does get blocked by the CORS policy.

I made sure to use the same XMLHttpRequest structure, copied over from the extension, but the results do differ.

unknown (1) unknown

n-y-z-o commented 4 years ago

Thank you for this suggestion. This has been implemented in version 583, and it is deployed to https://client.nyzo.co.

Version 583 is expected to be released tomorrow.

n-y-z-o commented 4 years ago

Version 583 has been released: https://tech.nyzo.co/releaseNotes/v583.

l-u-f-o commented 3 years ago

@n-y-z-o seems like this is still an issue. https://client.nyzo.co/frozenEdge for example does not return the Access-Control-Allow-Origin=* header.

EggPool commented 3 years ago

Likely some glue code missing between layers.

Also, after a quick look it seems the client could almost be able to return proper Json, there is code already to return such payload (with application/json Content-Type), just this is apparently not used.

It would be great to either

have endpoints with an extra .json return Json output instead of the html https://client.nyzo.co/frozenEdge.json
and/or read and use "Accept: application/json" header and switch to Json output.

I did not found an existing way of switching to Json. Being dependent of custom formatted html to extract data on the client side is a repeated pain.

n-y-z-o commented 3 years ago

All of the endpoints automatically render as HTML and as JSON. The Access-Control-Allow-Origin=* header is set for all API endpoints.

For any endpoint, prefix with /api to get the JSON version. In this case, it would be:

https://client.nyzo.co/api/frozenEdge

EggPool commented 3 years ago

Awesome, missed that!

Thanks!!!