Could not access all assets on scratch-gui (excepts on https://scratch.mit.edu) and its Mods because check CORS every API requests

scratchfoundation / scratch-gui

Graphical User Interface for creating and running Scratch 3.0 projects.

https://scratchfoundation.github.io/scratch-gui/develop/

BSD 3-Clause "New" or "Revised" License

4.46k stars 3.55k forks source link

Could not access all assets on scratch-gui (excepts on https://scratch.mit.edu) and its Mods because check CORS every API requests #9268

Open takaokouji opened 1 year ago

takaokouji commented 1 year ago

Expected Behavior

The scratch-gui can access the asset if it is running on anything other than https://scratch.mit.edu.

Actual Behavior

The scratch-gui cannot access the asset if it is running on anything other than https://scratch.mit.edu. It can only on https://scratch.mit.edu. Because it checks CORS every API requests. Also scratch-vm and scratch-storage are same. So, it can't.

Steps to Reproduce

Steps to reproduce the behavior:

setup scratch-gui on local
npm start
http://localhost:8601/ on browser
select any sprite or costume or sound.

System Details

Every system.

Screenshots

takaokouji commented 1 year ago

FYI: Workarounds.

for scratch-gui: https://github.com/smalruby/smalruby3-gui/pull/336/files
for scratch-vm: https://github.com/smalruby/scratch-vm/pull/23/files

takaokouji commented 1 year ago

Is this a bug ? or not (specification) ?

ghost commented 11 months ago

It must be a local host bug. Not sure how to fix API or Host servers though.

ajskateboarder commented 11 months ago

This is not a bug. api.scratch.mit.edu and assets.scratch.mit.edu have a CORS policy so that only https://scratch.mit.edu can make requests to it. To work around the CORS policy, you will need to set up a CORS proxy for both of the mentioned sites and modify these lines to use the proxied links by default.

Also, I think the CORS policy they added was intended to prevent people from misusing the API from the browser