Some API outputs don't support Cross-Origin Resource Sharing #14
Comments
|
@dan-da Could you have a look? |
|
CORS is used to relax security policy so that a browser can access content from domain B when viewing a page from domain A. There are both security and traffic/scaling implications with this. As such, I don't think it should be enabled without discussion of cost/benefit. Given that bisq markets api serves only public information, I am not worried about security concerns. However, a potential for traffic overload exists. With the status quo (CORS not enabled) API requests are limited to:
With CORS enabled, any 3rd party website can link to a bisq API within any page causing all visitors to that page to load the bisq API, invisibly to the user. So the number of requests to the bisq API for a given period becomes the sum of each linking site times number of its visitors. Whereas if the linking site called the bisq API itself say every 60 seconds, then the total number of requests is closer to linear with the number of linking sites. So I will turn this issue around and ask the question: Why is this needed exactly? Keep in mind that anyone can run Bisq software and the markets API themselves. |
|
I just need to be able to access the API via a jquery getJson get https://markets.bisq.network/api/trades?market=all&format=jscallback These are both blocked and for some reason their not outputting a clean json format:
I just need to be able to test it from my localhost and I'm still getting this error:
Unfortunately I don't have the skills required to fully set up a local version of the markets API by by myself. |
|
For the volumes I actually was able to load it since the problem was on my side. |
|
|
My bad, because I was not able to access it because of the absence of the 'Access-Control-Allow-Origin' header I was not able to read the file and thought maybe it was not json. Did you decide whether or not you're going to include the header for the /trades api so we can access it from a different domain? It would really help me in finishing the markets page. :) |
|
Forgot to mention that the same problem happens on offers: https://markets.bisq.network/api/offers?market=xmr_btc&format=json
|
|
@dan-da Is is possible to whitelist the bisq.network domain for CORS? If so can you do that? |
|
Sorry I do not have any access to the server. Someone else would have to do it. Anyway, it doesn't seem that a CORS header change is necessary for bisq.network as bisq.network/markets is already working (tested: Chrome, Firefox), and browsers are successfully making API calls to markets.bisq.network. Seemingly parent domain to sub-domain requests are "OK". |
All return either one of these messages when requesting a result via jquery's get.json:
.getJSON(jsonUrl+'&callback=?', function (data)Cross-Origin Read Blocking (CORB) blocked cross-origin response https://markets.bisq.network/api/volumes?basecurrency=BTC&milliseconds=true×tamp=no&interval=minute×tamp_from=×tamp_to=&format=jscallback&fillgaps=&callback=jQuery331036382736050173126_1539448963683&callback=?&_=1539448963684 with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.AND
Failed to load https://markets.bisq.network/api/trades?market=all&format=jscallback&callback=?: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4000' is therefore not allowed access.The text was updated successfully, but these errors were encountered: