We don't talk about web application security much at Epicodus because it's beyond the scope of what we teach. However, there is one important topic we need to cover briefly now that we are working with API calls.
Browsers use same-origin policy (SOP) to prevent cross-site scripting attacks. A cross-site scripting attack is when a malicious user attempts to access another site via the browser. This generally involves injecting malicious scripts into a web application in an attempt to gain access, get data, or sabotage a site.
Same-origin policy means that a request can only be made from one URL to another if the receiver and the sender have the same protocol, host, and port.
Here's a quick example:
In the URL above,
https is the protocol and
thisisthehost.com is the host. There is no port, and generally there won't be when we are navigating between pages, but a port would look something like this
:8080 and would come right after the host.
Let's say that the following URL wants to make a request of the URL above:
That would be entirely fine. The protocol and host are the same. The only thing different is the path, which is
someotherpage instead of
somepage, and SOP does not care about the path being different.
How about the following URL?
Well, the host name should give it away, but this is a different origin for two reasons. There's a different protocol (
http instead of
https) and there's a different host:
somebodysuspicious.com. Because of SOP, a browser will not allow this URL to make a request to
How about this URL?
This request will also fail. Even though the host name is the same, the
http protocol is different.
So why is this important when it comes to making API calls?
Well, our applications are entirely client-side, which means that all the code we are running is running in the browser. This means that SOP applies to all of our applications.
But wait a minute... How have we been able to make API calls to the OpenWeather API then? How about other APIs we are working with like Giphy?
Well, these APIs have enabled a feature called cross-origin resource sharing or CORS for short. The name is pretty self-explanatory. It's a mechanism that allows resources to be shared across different origins.
It's not really necessary to know the ins and outs of how cross-origin resource sharing works, but on the most basic level, it means attaching a few extra headers to requests and responses. That all happens behind the scenes so we don't need to worry about it.
What matters for us is that the APIs we work with must have CORS enabled if we want to work with them. If an API doesn't have CORS, we can't make API calls from a browser application.
For that reason, if you want to build a client-side application that makes API calls, you need to do some research first and make sure that CORS is allowed. It's not enough to make sure an API call works from Postman. In fact, that doesn't tell us anything about whether it works from the browser! Postman isn't making calls from the browser so the rules of SOP don't apply.
If you try to make a request from the browser to an API call that doesn't allow CORS, you'll get the following error in the console:
Access to fetch at 'https://othersite.com' from origin 'https://mysite.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Note that the names of the sites will be different depending on the URL you are trying to access and the one you are working with.
We've talked about the Same Origin Policy (SOP) with regards to making API calls, but this policy is in place for any request for resources from a browser. This includes requests that happen implicitly by certain Web APIs that provide live-updated data. When a Web API provides live updated data, it means that the Web API is making regular calls (or "requests") to our application to have the most up-to-date data.
We saw an example of a Web API that provides live-updated data in the optional lesson on how to access our project's stylesheets via the CSS Object Model (CSSOM). The Web API that provides live-updated data is the
CSSStyleSheet.cssRules property, which provides a "live" list of all CSS rules in a given stylesheet.
If you did not read the lesson Optional: Accessing Stylesheets in the CSSOM, don't worry. We don't need to know how the CSSOM works (or about its object types) in order to understand the implication of live data. So, let's continue.
Anytime a Web API provides live data, the Web API does so by making regular requests to get updated information. This means if we don't serve our project from localhost, we'll run into errors.
That's because SOP will fail a request to a project that's opened in the browser, but not served. When we open a project in the browser, like by dragging and dropping our
index.html into the browser, the URL will look something like this:
file:///C:/Users/staff/Desktop/oop-address-book-v2/index.html. A URL that starts with
C:/Users/... indicates that we've simply opened a local file in the browser from a Windows computer, and we're not serving the project with a web server. Notably, there's no domain, protocol, or port in the URL, which makes any request to this location automatically fail under SOP.
Remember, according to SOP a request from a browser needs to have a protocol, domain, and port, and whatever resource returned from the request also needs to have that same and matching information. If not, there needs to be a CORS policy in place. However, setting up a CORS policy is not the solution here, since the issue is caused by there being no protocol, domain, or port at all! Adding CORS would do nothing.
Instead, for any Web API that returns live data (and is therefore making regular requests to ensure that data is up-to-date), we need to make sure we're serving our project for the Web API to be able to function. It's as easy as that! Again, there's o need for CORS.
Let's say you really want to work with an API that doesn't allow CORS. Is there any way around this restriction? Well, there are several options:
So while you are welcome to use one of these extensions, just keep that fact in mind. We are still early in the program so you may not plan to turn learning projects into portfolio projects. That being said, we still recommend you pick APIs that allow CORS.