New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow cross origin [CORS] #133

Closed
tetreum opened this Issue Sep 15, 2013 · 26 comments

Comments

Projects
None yet
@tetreum
Copy link

tetreum commented Sep 15, 2013

Hi, my app is JS only and twitch api doesn't have cross origin header, so i can't make requests.
header('Access-Control-Allow-Origin:*');

@WolfWings

This comment has been minimized.

Copy link

WolfWings commented Sep 17, 2013

Twitch supports the JSONP mechanism, which avoids any issues of CORS by utilizing callbacks instead. Here's a minimal function to make using this approach easier; I've been using with good success so far. It's based on a stripped-down version of the library at erikarenhill/Lightweight-JSONP@2dbd3af

/*
* Usage:
* 
* JSONP( 'someUrl.php?param1=value1', function(data) {
*   //do something with data, which is the JSON object retrieved from someUrl.php
* });
*/
var JSONP = (function(){ 'use strict';
    var counter = 0;

    var memoryleakcap = function() {
        if (this.readyState && this.readyState !== "loaded" && this.readyState !== "complete") { return; }

        try {
            this.onload = this.onreadystatechange = null;
            this.parentNode.removeChild(this);
        } catch(ignore) {}
    };

    return function(url, callback) {
        var uniqueName = 'callback_json' + (++counter);

        var script = document.createElement('script');
        script.src = url + (url.toString().indexOf('?') === -1 ? '?' : '&') + 'callback=' + uniqueName;
        script.async = true;

        window[ uniqueName ] = function(data){
            callback(data);
            window[ uniqueName ] = null;
            try { delete window[ uniqueName ]; } catch (ignore) {}
        };

        script.onload = script.onreadystatechange = memoryleakcap;

        document.getElementsByTagName('head')[0].appendChild( script );

        return uniqueName;
    };
}());
@bogglez

This comment has been minimized.

Copy link

bogglez commented Nov 3, 2013

+1 for adding CORS support. I will not use JSONP out of security concerns.
Please read this and reconsider adding support, it's a one-liner:
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#CORS_relationship_to_JSONP

@bogglez

This comment has been minimized.

Copy link

bogglez commented Dec 19, 2013

Is this a no?

@averetennikov

This comment has been minimized.

Copy link

averetennikov commented Feb 18, 2014

Please adding CORS support.
JSONP very uncomfortable and old technology

@msmollin

This comment has been minimized.

Copy link

msmollin commented May 21, 2014

I'm going to cautiously +1 this. However, for those of you watching this, even though IE 8 & 9 implement CORS support, there are some pretty serious limitations/issues with that implementation. You can read about it here -
http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

So even though "modern" browsers support it, unless Twitch drops support on the API for IE 8 & 9, we probably will be stuck with JSON-P for now.

@bogglez

This comment has been minimized.

Copy link

bogglez commented Jul 28, 2014

You can have support for both. All that needs to be done is add one single line to the webserver config file and this issue is resolved. Developers can use CORS and use unsafe JSONP on IE. Absolutely nothing changes. The way this issue is handled is so ridiculous that I gave up on an app depending on this.

@Spiffyk

This comment has been minimized.

Copy link

Spiffyk commented Aug 1, 2014

I totally +1 this issue. Even though my app does not really depend on CORS, I'd really rather not use JSON-P. I hope I won't have to.

@WolfWings

This comment has been minimized.

Copy link

WolfWings commented Aug 6, 2014

In this case, it really is a matter of 'blame MicroSoft (yet again) for why the shiny new feature can't be used' due to as mentioned: IE8 and IE9.

Supporting both JSON-P AND JSON+CORS would cause most websites that attempt to integrate with Twitch to fail to integrate for any users using IE8/9 because web-developers would just grab JSON+CORS and stop testing, as JSON-P is more difficult for most web-developers to use as they have to deal with the callback mechanics.

As IE8/9 is approximately 25% of the web-browsers out there still I see why supporting JSON+CORS is a non-starter and likely to remain so for quite some time.

@Spiffyk

This comment has been minimized.

Copy link

Spiffyk commented Aug 6, 2014

But that is the web-developers' concern, how they will treat different browsers, no? If they want or have to, they will make their app support IE. If they don't... well then the apps just won't work under IE8/9. And also... you can't blame Microsoft, they've got their updated versions of IE. Blame the users that won't upgrade or go to a different browser even when it's free and is a matter of a few clicks.

@WolfWings

This comment has been minimized.

Copy link

WolfWings commented Aug 6, 2014

It's more a matter of Twitch forcing streamers and developers of websites to use the technology most compatible with the browsers Twitch themselves choose to support: IE8/IE9 are on that list, and the easiest way to force developers to support these is by only supporting the interfaces that work with IE8/IE9 as well since those interfaces ALSO work with all other browsers and platforms.

You're using the Twitch service, so it's no longer up to you to decide what browsers you support: You support the ones they do, in effect. It's not in the interest of Twitch to lose control over what browsers they choose to support, and JSONP is needed to do that so why support two different interfaces?

@martijnhoekstra

This comment has been minimized.

Copy link

martijnhoekstra commented Aug 9, 2014

+1

@tetreum tetreum changed the title Allow cross origin [HTML+JS Apps] Allow cross origin [CORS] Aug 9, 2014

@tetreum

This comment has been minimized.

Copy link

tetreum commented Aug 9, 2014

Developers do what they want, thats why they're developers. So i'm using YQL to bypass CORS issue.

@Prof9

This comment has been minimized.

Copy link

Prof9 commented Sep 21, 2014

+1 this issue. With JSONP you cannot set HTTP headers, so it is impossible to query a specific API version or send your client ID.

@XrXr

This comment has been minimized.

Copy link

XrXr commented Oct 28, 2014

+1

@richardbrammer

This comment has been minimized.

Copy link

richardbrammer commented Jan 20, 2015

How is it possible to use PUT with a JSONP call without CORS support?

This is needed to update the channel status as described here:
https://github.com/justintv/Twitch-API/blob/master/v3_resources/channels.md#put-channelschannel

@bashtech

This comment has been minimized.

Copy link
Contributor

bashtech commented Jan 20, 2015

You can use the _method=PUT query string param to specify that it is a PUT request.

@richardbrammer

This comment has been minimized.

Copy link

richardbrammer commented Jan 20, 2015

Thanks @bashtech , using _method=PUT works just fine!

@pburtchaell

This comment has been minimized.

Copy link

pburtchaell commented Jun 20, 2015

Would really appreciate CORS support here. In most cases it is a one line code change!

@noinkling

This comment has been minimized.

Copy link

noinkling commented Dec 30, 2015

Has CORS support officially been added? Access-Control-Allow-Origin: * seems to be set now and I can get data fine without JSONP.

@neolectron

This comment has been minimized.

Copy link

neolectron commented Dec 21, 2016

i still have the CORS error.

@vybz1000

This comment has been minimized.

Copy link

vybz1000 commented Jan 25, 2017

Any news on this? My OPTIONS call gets....

access-control-allow-headers:Accept, Authorization, Client-Id, Twitch-Api-Token, X-Forwarded-Proto, X-Requested-With, X-Csrf-Token, Content-Type

but no X-Xsrf-Token

@3ventic

This comment has been minimized.

Copy link
Contributor

3ventic commented Jan 25, 2017

This is the first I hear about X-Xsrf-Token and quick googling would suggest it's something specific to the Laravel framework for PHP?

@vybz1000

This comment has been minimized.

@trumpi

This comment has been minimized.

Copy link

trumpi commented Jan 25, 2017

The Twitch API doesn't use cookies to authenticate, so a XSRF token is not necessary.

@billygerhard

This comment has been minimized.

Copy link

billygerhard commented Feb 24, 2017

I am going to +1 this as well. Yes, we can use JSONP, but that causes a lot of overhead to have to keep adding extra code for every time you want to use the API in the application, instead of just using the API as is to bypass a simple feature for Twitch to add. And as stated above, you can support and serve both options to developers at once. You don't need to make a hard switch to support CORS.

@bashtech

This comment has been minimized.

Copy link
Contributor

bashtech commented Feb 24, 2017

All /kraken/ endpoints support CORS. This is a really old issue that should probably be closed.

@Fugiman Fugiman closed this Mar 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment