CORS error retrieving document from API


#1

Hi all, not sure if this is a bug or intended behavior. I’m writing a little Javascript client-side app that will retrieve a Dynalist document and display a flat sorted list of items matching a search. Unfortunately when the app tries to pull the document from the API it gets rejected with a CORS error:

(In the error above, the origin IP is a local dev server on my Chromebook, but I expect this error would occur on any server.)

Does the Dynalist API have an Access-Control-Allow-Origin header set? Or is this not an intended use of the API? Or maybe I’m just doing it wrong? :slight_smile:

Here’s the source code, in case it helps: https://github.com/PurpleGuitar/dynalist_utils/blob/6a0fdfd72dddbe691f5d14bc67a5038c9aaf400f/dynalist_utils.js

Disclaimer: I’m not strong in JavaScript. Comments are welcome, but please be kind. :wink:


#2

If your intent is that a user’s browser should be able to access the Dynalist API, it looks like you’ll need to set Access-Control-Allow-Origin to * on the response header, as described here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin .

Or am I missing something? @Erica, @Shida, any thoughts?


#3

Hmm that seems like something we missed. I’m guessing that the majority of the time, our API is used from some kind of automated/semi-automated script like python, or IFTTT, which isn’t ran from a browser session.

Before we enable CORS for everyone, we should consider the security implications for it. For example, if our API endpoints allowed CORS credentials, and used the user’s session with cookies, then it would be vulnerable to malicious sites that makes API requests to Dynalist from the user’s browser.

With that said, since the API is completely token based, I think we should be safe to enable CORS to use with browser-based apps.


#4

Yep, that makes sense. Thanks for considering my request.


#5

It works now! Thanks much! :smiley: