Hello, I have a problem with CORS and I think this is right community to get help.
When I use this code:
import { LemmyHttp } from 'lemmy-js-client';
const client = new LemmyHttp('https://lemmy.ml');
const { posts } = await client.getPosts({
limit: 10,
page: 1
});
to get posts from lemmy.ml (using lemmy-js-client), I get:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://lemmy.ml/api/v3/post/list?limit=10&page=1. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 400.
I have tried to add header like this:
const client = new LemmyHttp('https://lemmy.ml', {
headers: {
'Access-Control-Allow-Origin': '*'
}
});
but result is the same.
Can someone help me with this?
The
Access-Control-Allow-Originis meant to be set on the server side and is part of a mechanism called CORS. MDN has a good guide on CORS (It might seem too long and complex to read if you just want to access some data on an API, but knowing how it works is essential if you plan to work with HTTP-based APIs.)In short, lemmy.ml (and probably most other Lemmy instances) doesn’t seem to allow API access from within a browser. You’ll have to build a Node.js proxy (with lemmy-js-client) and use that to connect the browser to.
Thanks for the link, I’ll read it.
you can’t add cors headers on client side, they should be added on the server of lemmy.ml. In addition to that I made a GET request with curl to the URL of
https://lemmy.ml/api/v3/post/list?limit=10&page=1and It worked. Try this on your terminalcurl --location 'https://lemmy.ml/api/v3/post/list?limit=10&page=1'EDIT: I tried to lemmy-js-client and it worked.
curl doesn’t care about CORS, CORS is a browser implementation.
For CORS to work the url should be returning a header of
access-control-allow-origin : *(or an header specific to the origin)It seems like they are working on it: https://github.com/LemmyNet/lemmy/pull/3421
So I’ll have to wait for this PR to be merged. I think they will do it soon because it provides more positive value that negative at this moment
I don’t know if the PR is going to solve it though.
If I’m looking at the file changed: https://github.com/LemmyNet/lemmy/pull/3421/files
It seems like the “Lemmy Instance Owner” would have to set an environment variable of “
LEMMY_CORS_ORIGIN” - and if there’s no variable set it defaults back to:.allow_any_origin() .allow_any_method() .allow_any_header()
I don’t know if instances are going to “allow *”
I haven’t found
.allow_any_origin()in source (query), but isn’t it sorta equivalent toAccess-Control-Allow-Origin: *? Or I’m misinterpreting somethingEdit: from the author of PR:
It’s also worth noting that the behavior of allow_any_origin makes the server echo back CORS headers that respect the request’s Origin header, as opposed to send_wildcard which sends back * for the CORS headers. I don’t think this really matters, but it’s something to keep in mind.
Setting it to
*will prevent the browser from including credentials in the request (cookies). Dynamically setting it to the origin of the requesting client effectively does the same but also allows for using credentials.I don’t think it would be a very good implementation to just let any site dynamically request to be allowed by CORS, including with credentials… A malicious site could do way too many things on the users behave
A possible solution would be something like how reddit or github do it - have the user first accept an “Allow third party app / website to access my account” - and after that, add those sites to the
Access-Control-Allow-OriginWhat are the exact attack vectors you’re thinking of?
yes but OP still can’t do anything on the client side, it should be configured on the server
Not a direct answer, but for an explanation and history of CORS, this was a fun talk at stangeloop last year: https://youtube.com/watch?v=0YJ-yhoJh2I
Thanks, I’ll watch it
