Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
asgs112731yYou aren't crazy. It might be your browser (Chrome) which is not allowing to you exempt localhost. Try some other browser? Or disable the check at all? There is a CLI option you will need to pass to disable it
Plus, why are you hosting the webapp on your localhost and using their API? If it is not for testing purposes, host it in remote site and provide your hostname/IP address for them to add those to the allow header
@asgs well sure I can disable CORS. But eventually more of our users will be using this app. And they shouldn’t all have to do that.
This is for testing and development purposes.
The issue is that I can’t even get through to them that CORS needs configured. They literally needed me to explain to them what CORS is, yet claim that can’t possibly be the issue. Even though the error clearly says CORS blocked the request.
@hack Thank you!!! That’s what I’m trying to tell them. Their “Senior Tech” literally asked me “what is CORS?” when I brought this up. And yet, not understanding why the issue even is, they tell me up and down that I don’t know what I’m talking about to the point that I’m starting to doubt myself.
Is there a proxy in the middle? Adding localhost as an allowed origin doesn't make much sense to me unless there is a proxy that accepts the external request and then forwards it to another port over the localhost network.
@cmarshall10450 No. I’m just attempting to hit the API directly. I can fire up a reverse proxy myself and forward requests that way, but the REST API is supposed to be configured to allow localhost, according to the ERP documentation. Or rather, they recommend allowing any origin. Do you mind elaborating a little more on why that wouldn’t make sense to you? I’m open to the idea that there’s a better way.
Hazarth86291yhmm, have you tried sending a preflight options request with your origin in it?
also is this the official ERP API you're using or are you trying to use their internal api that isn't supposed to be accessed from outside?
Is this an electron app? Because if so, there are ways to handle this. Specifically you can capture the response and update the CORS headers before they hit the browser instance, which allows you to bypass it...
But if this is a browser app then that's sus. I'm not sure if localhost should really be an allowed origin. Browsers are designed to be safe boxes for the users. If any website can just hit the erp api from any users browsers than that's kinda not ok. There's even a special case in CORS when you're sending any type of credentials, like in cookies or authorization header, that is *required* to contain an origin.
So are we talking actual user level browser, or an app like chrome app or electron that uses a browser as an engine?
Nihil757571ywtf are you talking about? why do you need localhost at all?
They give you a url:
You post to it in postman/cli as
-x POST http://api.erp.com/v1/post
Where and why did this change to:
-x POST http://localhost/v1/post
Is your app acting as a proxy? this is silly. I can understand why they are frustrated with you.
CORS exists for browser users' safety. Tools like Postman or http libraries ignore missing CORS headers. And you're right, the header's called "Access-Control-Allow-Origin", not "Allow-Domain", localhost or IPs are totally fine if necessary.
As long as you don't plan on talking to the API through the browser, but through your own server backend or application, you're good without CORS. Just can't test it in the browser.
@Hazarth This is the official API. The ERP developer specifically recommends allowing any origin in order to hit the API. The people I’m struggling with here is the partner/vendor hosting the instance for us. (Note, this is a dedicated instance. Not one they use for all their customers.) And this is an actual browser level application. Not electron.
And my preflight request that’s being blocked.
Maybe just hitting a reverse proxy is the way to go. Just sucks having to maintain an extra piece ourselves, and being unable to even get through to them what I’m suggesting happen.
@localpost Hmm yeah I’m thinking more and more maybe I need to just reverse proxy it so I can get around CORS. I have a proxy set up and it works fine. I just don’t like having to do that when the ERP developer officially recommends allowing the origin in CORS.
But maybe that’s the way to go. Thank you!
@localpost Yes. Correct. It’s a setup I think is really dumb, but it’s not my call. However, we were told they would do whatever they needed to for us to get API access. We paid… well. I’m not sure I’m allowed to say exactly how much. But over $9k USD to get access to *talk to* this guy who needed me to explain to him what CORS is.
And these are per-user credentials. The server returns an ASP.NET authorization cookie.
I feel your pain, dude. Here you try to explain why you need to do your webapp in the first place, and useless senior maintaining external system doesn't give shits despite being paid for the ordeal. I would be annoyed as fuck too.
In the short term, it may be obvious to somehow use a separate testing browser with CORS ignored. But in the long term, make your own API layer/server that communicates with external ERP.
@vintprox ugh… Maintaining our own layer to proxy the requests seems to be the common theme here, so I think that’s the direction I’ll move in. I hate having that extra possible point of failure, but at this point I’m not sure there’s much else I can do. Thanks for your input!