CORS Issue

[Wenlue Zhang]

Hi,

Just wondering if it is an intended behaviour for the API disallowing cross-origin requests? It seems to miss "Access-Control-Allow-Origin" and all other related headers in the response.

[Nestor Perez]

Why would you make a request to an API requiring a token from a browser? You'd be leaking your token.

[Wenlue Zhang]

3 hours ago, Nestor Perez said:

Why would you make a request to an API requiring a token from a browser? You'd be leaking your token.

For sure we won't put the token in our front end code 😂 But currently there are some endpoints (e.g. /rating/{cid}/rating_times) which are accessible without a token. Just assuming they are open to public and does not require the token... Isn't it intended?

[Ryan Bentley]

On 11/4/2020 at 12:26 PM, Wenlue Zhang said:

For sure we won't put the token in our front end code 😂 But currently there are some endpoints (e.g. /rating/{cid}/rating_times) which are accessible without a token. Just assuming they are open to public and does not require the token... Isn't it intended?

Yes, certain endpoints are public and do not require token authentication.

[Wenlue Zhang]

On 11/15/2020 at 12:03 AM, Ryan Bentley said:

Yes, certain endpoints are public and do not require token authentication.

But now we can't just call public endpoints from a browser because of CORS issue. Instead, we have to write backend code acting as a "proxy" to expose the data to the front end. Just for confirmation, is it also a expected behaviour?

[Nestor Perez]

It is for now indeed. None of that data gets updated gets updated too often, so we'd appreciate if you'd do some caching server-side 😛