Access-Control-Allow-Origin

NOTE: this is an informal bug post place ONLY. Real bugs should be posted on GitHub
Post Reply
User avatar
FiringSquad
Sergeant
Sergeant
Posts: 847
Joined: Thu Jan 26, 2006 5:53 pm
Location: Ireland

Access-Control-Allow-Origin

Post by FiringSquad » Mon Aug 19, 2019 6:37 pm

The response from https://my.bzflag.org/db/ does not allow the contents to be retrieved from a website, as the browser will block it due to Cross-Site concerns.

Adding ["Access-Control-Allow-Origin" : "*"] to the response header would allow the content to be absorbed by by other websites for display.

In my case, I was going to present the list of servers in a filterable way, so that the user can select which servers they want to keep track of on Discord (via a bot).

I can get around it by getting my back-end to retrieve it on my behalf, so not a blocker.

Just wondering if this was an intentional oversight, and if not, any chance this will change soon?

User avatar
The Noah
Private First Class
Private First Class
Posts: 62
Joined: Mon Jul 11, 2016 9:38 pm
Location: GitHub
Contact:

Re: Access-Control-Allow-Origin

Post by The Noah » Mon Aug 19, 2019 8:34 pm

I have noticed this too and also had to use my backend as a work-a-round. It would be very useful if you could just make the request from the browser.

User avatar
blast
General
General
Posts: 4744
Joined: Fri Mar 21, 2003 3:49 pm
Location: playing.cxx
Contact:

Re: Access-Control-Allow-Origin

Post by blast » Mon Aug 19, 2019 10:10 pm

The site is not intended to be consumed directly by browsers. I'm not familiar enough with the edge cases and security implications of that header given that we do use my.bzflag.org for authentication purposes.
"In addition to knowing the secrets of the Universe, I can assure you that I am also quite potty trained." -Koenma (Yu Yu Hakusho)

Image

User avatar
FiringSquad
Sergeant
Sergeant
Posts: 847
Joined: Thu Jan 26, 2006 5:53 pm
Location: Ireland

Re: Access-Control-Allow-Origin

Post by FiringSquad » Mon Aug 19, 2019 11:07 pm

The header has no effect on the security of bzflag.org
It has more to do with protecting browsers on the internet. Essentially, in order to stop rogue scripts from hijacking your browser and sending calls out for DDOS attacks or whatever, browsers prevent any calls outside the current domain, unless specified that it is OK by the browser, and that the other domain is OK for that particular URL to be accessed from outside of its domain.
The https://my.bzflag.org/db/ URL can be accessed by many methods, without a problem, except when you try to do it from a browser that is pointing to a different URL at the time.
The browser intercepts requests that are being made, and will prevent the call happening unless the client has not said it's OK for the browser to make the such request and the producer of the resource says that it doesn't mind being accessed from another domain.
By placing ["Access-Control-Allow-Origin" : "*"] in the header response for this call, essentially you are saying "Any domain can make the request".

There's a good description of it here

There are always ways around it, provided you have the wherewithal to tackle the extra effort, but from the rules regarding the use of this list, it seems that it was intended to be shared in this way, so it's a shame that jumping through a few extra hoops is required.

User avatar
Zehra
Private First Class
Private First Class
Posts: 621
Joined: Sun Oct 18, 2015 3:36 pm
Location: Arctic

Re: Access-Control-Allow-Origin

Post by Zehra » Mon Aug 19, 2019 11:23 pm

I might be totally wrong here, but perhaps it is related to "not directly forwarding login requests" which was added some time ago.
However if it is non-login related, I certainly would like to be able to get the list from the browser more easily.

-Zehra
Those who are critical of me, I'll likely be the same of them. ~Zehra
There's always something to remember and it's been a game I love. ~Zehra
The time spent is a time which can never be regained, so it's a time to enjoy. ~Zehra
The decisions we make are the ones we look forward too and the ones we regret. ~Zehra
There's a difference between knowing my name and knowing me, one shows respect to my name and the other is to who I am. ~Zehra

See where I've last been active at Strayers.

User avatar
blast
General
General
Posts: 4744
Joined: Fri Mar 21, 2003 3:49 pm
Location: playing.cxx
Contact:

Re: Access-Control-Allow-Origin

Post by blast » Tue Aug 20, 2019 12:49 am

I don't have the energy at the moment to investigate this, and I'm not going to blindly enable such a feature. This is something you can easily pull from your backend, optionally caching it in your backend.
"In addition to knowing the secrets of the Universe, I can assure you that I am also quite potty trained." -Koenma (Yu Yu Hakusho)

Image

User avatar
FiringSquad
Sergeant
Sergeant
Posts: 847
Joined: Thu Jan 26, 2006 5:53 pm
Location: Ireland

Re: Access-Control-Allow-Origin

Post by FiringSquad » Tue Aug 20, 2019 8:07 am

The list is sorted by activity, which is likely to change, so caching is probably not going to be done. Besides, in my case, I need my back-end to remain stateless, so that it's easily replicated for High Availability, fail-over etc., as it's a college project, and so the implementation has specific constraints.

You're right though. The list is not designed currently to be consumed by other web-services, and there is no commitment to a particular API, so your implementation is currently allowed to change, and break any services depending on it.

Post Reply