Missing CORS Response Header

[Jonas-Sander]

I want to use your server but can't use it from browers directly as your service does not respond with a CORS-header.

Now I would have to resort to something like cors-anywhere proxy-server which is only really a workaround for the missing header.

The fix would be to just return a Access-Control-Allow-Origin: * header.
This should be possible via a @CrossOrigin(origins = "*", allowedHeaders = "*") annotation in Spring (i guess, I have no experience with it).

[anisfencheltee]

Almost the same problem here, i can accesss ferien-api.de via the browser. My little webapplication unfortunately can't due to CORS Restrictions. Chrome Error Message is: "Access to XMLHttpRequest at 'https://ferien-api.de/api/v1/holidays/BE/2021' from origin 'http://127.0.0.1:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."

[muuvmuuv]

Is someone working on this already? I could try to make a PR but have no to little experience with Kotlin.

[klaernie]

This is only my personal opinion, but CORS only matters if you'd use ferien-api directly in the frontend. I'd always proxy the API in my backend system and most importantly cache it heavily, since the data is fairly static. This way the (possibly thousand) users of my application would result in just a singular request per day. I don't think the ferien-api server could not handle the full load, it would just feel wasteful to me, and I'd consider this better etiquette.

[muuvmuuv]

I don't agree with you fully. Why should I take the effort to set up a proxy or my backend, when my Angular HTTP lib can cache and handle it directly? In our case it makes sense to use it directly in the frontend.

[klaernie]

@muuvmuuv Not knowing your use case I cannot say, if that's appropriate or not. I've build applications intended to be only use by me in my home, and apps used by a team of 50 daily. In the first case the proxied use clearly is more effort than it might be worth, but in the second it could already be reasonably worth it.

[maxleistner]

I would really need it too. Go for it @muuvmuuv :)

[maxleistner]

@paulbrejla does not work yet :( If i call: https://ferien-api.de/api/v1/holidays/BY/2021 reponse is Access to XMLHttpRequest at 'https://ferien-api.de/api/v1/holidays/BY/2022' from origin 'http://127.0.0.1:5173' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[paulbrejla]

@maxleistner it is not released yet I'll push the latest release asap.

[paulbrejla]

@maxleistner can you verify against https://preview.ferien-api.de/api/v1/holidays?

[maxleistner]

@paulbrejla the header is not sent. Therefore there is still a CORS error. short: not working :)

[paulbrejla]

The cors header is sent back on this request:

curl -v --request GET  'https://preview.ferien-api.de/api/v1/holidays' --header 'Origin: http://localhost' --header 'Access-Control-Request-Method: GET'

Response:

< HTTP/2 200
< date: Wed, 14 Sep 2022 17:21:24 GMT
< content-type: application/json
< vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers
< access-control-allow-origin: *

Are you sure that you are sending the proper headers?