austinberke
commented
6 years ago Unfortunately, this isn't reasonably attainable due to Same-Origin Policy restrictions. See https://github.com/nfischer/framily-tree/issues/12
Open nfischer opened 8 years ago
austinberke
commented
6 years ago Unfortunately, this isn't reasonably attainable due to Same-Origin Policy restrictions. See https://github.com/nfischer/framily-tree/issues/12
nfischer
commented
6 years ago I was under the impression the Google Sheets API included CORS headers to allow this (source). Is this not enough?
austinberke
commented
6 years ago That could work, but we would still run into the issue of publicly exposing our API key since we don't have any environment vars to hide behind.
nfischer
commented
6 years ago As I recall, the web-based sheets API has a way to whitelist which URLs are allowed to call the API. So, we would whitelist our sites and personal IP addresses (for development purposes), and no other pages could actually call the APIs (google would toss away the requests). It kind of makes the key useless, since the site whitelist is the real key.
austinberke
commented
6 years ago Interesting, it does seem like GH Pages supports CORS and that this could work. I'll keep looking into it.
Move the hardcoded data out of the repo and use the Google Sheets API instead to pull the data on page load.
Also, update all the instructions once this is changed.