aramperes
commented
3 years ago Wildcard cross-origin requests are now enabled for /api/v1beta, and the Authorization header is allowed. Note that internal endpoints are still restricted to wavy.fm.
Closed aramperes closed 3 years ago
aramperes
commented
3 years ago Wildcard cross-origin requests are now enabled for /api/v1beta, and the Authorization header is allowed. Note that internal endpoints are still restricted to wavy.fm.
Use-Case Description
At the moment, the API doesn't allow cross-origin requests because it inherits it from the main website. We should allow cross-origin requests to a certain extent, especially for apps that don't have a backend server.
Semantics
Cross-origin requests shouldn't use the client credentials flow, since that would leak the client secret. The implicit auth flow (#23) might be the easiest, as it shouldn't encumber users too much (clicking a link and clicking Accept).