I am using Azure DocumentDB with REST API and trying to call the API from HTML page using Ajax requests. But I found that authorization headers are not getting added in a request. After searching, a lot, I found that it may be a CORS issue. Same request works well when POSTMAN tool is used. Security header got set in this case.
You're correct! DocumentDB REST API can't be called using AJAX from the browser because of CORS and right now it is not possible to configure CORS settings for a DocumentDB account.
Related
i have read a lot about DocuSign api and how they works, i figured out that they don't support cors.
For this reason i'm using an angular proxy configuration for my test environment, so i could do all my tests with my localhost.
The problem is that when i upload my project on a server i can no more use that proxy config, if i try to use it by replacing "localhost" with my domain name it returns me an html which is not an error from docusign but a sort of error related to my proxy conf.
I think i need create a cors gateway in my server in order to use the api, i've read a guide about that and it's very complicated since i'm only a frontend developer.
So my answer is:
is there any easier method to use these api in my online application?
can i obtain some sort of permissions from docusign which grants to my domaint to access their api calls without going into some sort of cors errors.
Thank you for attention
I work in DocuSign developer support. We do not support CORS. It is on our roadmap. Looks like you have your options, move the calls to DocuSign to the back-end or build a CORS gateway.
I created MongoDB and Node.js REST API for my website. I am accessing my database data from the API and showing it on my website. I am doing these things locally on localhost.
Now I want to host my REST API. I don't have any idea regarding hosting. If I host my REST API somewhere and start getting data through its endpoints, then anybody can use those endpoints and access my data, but I want to restrict it to my website only. Meaning, that only my website can make requests to that API, no other websites can make a request. If other websites try to access it, it should show an error. How can I achieve this? Can someone please explain me step by step how do I do this?
I think you are referring to CORS. You need to set your API to have a response header like this on all requests:
Access-Control-Allow-Origin: https://yourSiteDomain.com
You can read more about it here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
Other people can still access your API directly though, through postman etc.
What you need is a CSRF(cross site request forgery) token
for node js you can use
csurf : http://expressjs.com/en/resources/middleware/csurf.html
look online on how to implment it
In my react-admin application, I'm sending two api hits for each create action and I'm not sure why.
Network Tab Data
I have the django REST framework backend running as well, could this be the issue?
Your API is probably on another domain than the HTML page, so your browser sends a CORS preflight request to the server with the HTTP OPTIONS verb before sending a GET or a PUT. This is absolutely normal and there is nothing you can do to prevent it - apart from putting your API and your webapp on the same domain.
More information about CORS: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
I have a nodeJS express app, that serves front end app using React and also provides an API. The React app calls the backend API and as such there is no cross origin.
When I deploy this to Bluemix without SSO, everything works fine. When I deploy using SSO service I get error
Fetch API cannot load https://abcd-9bgrvudk1p-ct20.iam.ibmcloud.com/idaas/oidc/endpoint/default/authorize?response_type=code&client_id=Z4eSiL50dT&redirect_uri=https%3A%2F%2Fconsole-sso.mybluemix.net%2Fauth%2Fsso%2Fcallback&scope=openid%20openid.
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://console-sso.mybluemix.net' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I tried calling the API directly and after SSO auth, it works fine, But when the API is invoked by the front end app, it returns the above error.
FYI, API target is https://console-sso.mybluemix.net/api/reports/daily-reports
I have followed the Single Sign On documentation
I tried adding CORS module and response headers to allow a CORS request but it did not work. I also tried adding * to SSO configuration to allow all origins but no luck. Any pointers would be great! Thanks
This will require Support to review. Please open a ticket with the BlueMix support team
I'm using IoTHub F1 subscription and facing following problem:
I'm calling REST endpoint for get device list from iothub,
Ex: https://my_iothub_name.azure-devices.net/devices?top=10&api-version=2016-11-14
The above api call is working fine from postman (postman is ApiAgent)
But the problem is when I'm calling same api from browser it's giving me 405 method not allowed error.
I've read about it and it's looks like problem with OPTIONS request from browsers.
Please throw some lights on this issue,
Thank you very much.
I don't think this is currently possible, first because, from what I see, Azure IoT hub REST API does not issue CORS requests (i.e. they don't write in the CORS header access-control-allow-origin), so your browser client can't access it.