Bypass CORS restrictions when using the local API

[Benjamin Png]

I am trying to build a plugin for another program (not Zotero). It is an Electron program and as a result, runs inside Chromium. This means that when I make a call to the local API, it fails due to a CORS issue.

Since it is a local API, is there a way to bypass the CORS issue or at least, allow CORS for just the local API?

[Abe Jellinek]

I’m not too familiar with Electron, but it seems like your two options are:

1. Use Node’s HTTP module to make the request. Electron allows you to access Node modules from web content. (But the program you’re writing the plugin for might restrict that.)

2. Use WebRequest hooks to override the CORS headers on the request.

We wouldn’t want to allow cross-origin requests to the local API - webpages shouldn’t have access to it.

On Aug 8, 2024, at 9:44 AM, Benjamin Png <benp...@gmail.com> wrote:

I am trying to build a plugin for another program (not Zotero). It is an Electron program and as a result, runs inside Chromium. This means that when I make a call to the local API, it fails due to a CORS issue.

Since it is a local API, is there a way to bypass the CORS issue or at least, allow CORS for just the local API?

--
You received this message because you are subscribed to the Google Groups "zotero-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zotero-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zotero-dev/f1b1737f-997e-4e8c-8d4f-b8ac58db62d1n%40googlegroups.com.

[Oras P.]

I asked a relevant question in another thread, so would like to ask here as well. I'm not super familiar with CORS limitations though, so let me know if I misunderstand any of its concepts:

=======================================

I am trying the local API out by integrating it into an Electron app (logseq), but got 403 "Request not allowed". The same happened when I just accessed the API using a browser (firefox, chromium). I checked out the source code, and found out that if I include the header "x-zotero-connector-api-version" or "zotero-allowed-request" in my request, then I get the response just fine.

Questions:

1. Why does the API protect against requests made by
   
2. What is the proper way to access the local API from an Electron app?
3. What do headers "x-zotero-connector-api-version", "zotero-allowed-request" mean? Can I just include those in my request to access the API? What should their values actually be?

This is actually my first time looking at Zotero source code, so any general guidance is very welcome!

Oras.

[Benjamin Png]

Coincidentally I just built a plugin for Logseq with the new Zotero (https://github.com/benjypng/guide-logseq-plugins). 

Understand that it’s a design choice by the Zotero team, which is extremely fair and not uncommon. When building an API, you can decide what headers you want or don’t want to accept, depending on your intention. 

Regards,

BP

You received this message because you are subscribed to a topic in the Google Groups "zotero-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zotero-dev/7uqwWXe4YE8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zotero-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zotero-dev/68eb2ca5-b81b-4004-ad34-d2d0e29be460n%40googlegroups.com.