HttpRequest, accessing third party web service

[_Marc_]

The documentation mentions that I can use HttpRequest only on local domain addresses? Is this saying that I cannot access web services on other domains? I hope not. An example would be nice.

[SparrowhawkMMU]

This is a security feature baked into web protocols I believe.

You need the remote page or API to allow access from your own domain. Or all domains using an asterisk as a wild card:

Code: Select all

Access-Control-Allow-Origin: *

Search the forums for this, there are several threads about it. Which go into detail.

[_Marc_]

This is a security feature baked into web protocols I believe.

You need the remote page or API to allow access from your own domain. Or all domains using an asterisk as a wild card:

Code: Select all

Access-Control-Allow-Origin: *

Search the forums for this, there are several threads about it. Which go into detail.

Believe me, I searched. Like this one:

http://forums.spiderbasic.com/viewtopic ... igin#p1739

Problem is that most of the web services I like to access are third party open web services like:

https://developer.wordpress.com/docs/ap ... ite/users/
http://del.icio.us/api/:username/bookmarks/

I cannot control them (eg. set the response header), but they're known for working from other websites/domains. Also I know that these are working from my own domain/ASP.NET web service, therefore must allow it.

The documentation of PB says: "Due to security constraints, it is only possible to execute a request on the same domain.".

If you say it can work then it would be great if you could provide me with a working example accessing a third party REST service (not on the same domain or local).

[bbanelli]

If you say it can work then it would be great if you could provide me with a working example accessing a third party REST service (not on the same domain or local).

I am really far from expert in this, so kindly take my writing with a grain of salt.

As far as I have understood, your logic is faulty. You can call a local script (PHP or CGI written in PureBasic, for example), and access REST API from desired site. That is how I do it and it work flawlessly.

How do you expect to protect your credentials for REST API in JavaScript? http://mypasskey@example.com/api/ It would be completely visible to client, which is something you don't want, right?

[_Marc_]

If you say it can work then it would be great if you could provide me with a working example accessing a third party REST service (not on the same domain or local).

I am really far from expert in this, so kindly take my writing with a grain of salt.

As far as I have understood, your logic is faulty. You can call a local script (PHP or CGI written in PureBasic, for example), and access REST API from desired site. That is how I do it and it work flawlessly.

How do you expect to protect your credentials for REST API in JavaScript? http://mypasskey@example.com/api/ It would be completely visible to client, which is something you don't want, right?

In my case I would use ASP.NET but I know what you're getting at. This would mean I cannot directly connect to the third party web service but use my own ASP call as intermediare.

NB: I'm using a user input of credentials combined with 2FA and hashing. So yes, I know I cannot put the credentials as constants in my code .

[_Marc_]

This is a security feature baked into web protocols I believe.

You need the remote page or API to allow access from your own domain. Or all domains using an asterisk as a wild card:

Code: Select all

Access-Control-Allow-Origin: *

Search the forums for this, there are several threads about it. Which go into detail.

I've added the header via web.config as documented here:
http://enable-cors.org/server_iis7.html

Now it's working for my own web service. For now that's the most important thing.

BTW: What are the disadvantages of allowing this? We give external developers access to it for native applications like OSX and Windows. That was already working before this fix. Why is access from a external website not allowed by standard?

[SparrowhawkMMU]

The cons are reduced security, so you may want to specify specific calling domains if possible, rather than allowing from all. Of course this may not b possible.

Good article here: https://developer.mozilla.org/en-US/doc ... ntrol_CORS

[_Marc_]

The cons are reduced security, so you may want to specify specific calling domains if possible, rather than allowing from all. Of course this may not b possible.

Good article here: https://developer.mozilla.org/en-US/doc ... ntrol_CORS

The final/live SB project will be hosted on the same domain, so eventually I can remove that header (if I understand it all correctly). I only need to be able to test from my developer Mac with PB's IDE. Is it possible to add something that will allow me to test the web service from my PB IDE; eg. by adding my IP address?

[Fred]

You can fake it with the following step on your dev computer:

1) edit your 'hosts' file (C:\Windows\System32\drivers\etc\hosts) and add a line like:

127.0.0.1 spider.test

2) Add to your server:

Access-Control-Allow-Origin: spider.test

3) Set in Spiderbasic IDE -> Compiler Options -> Compile/Run -> Web Server Address:

spider.test:8080

It should work