Easy way to determine if agencies have enabled CORS for their APIs?

Jeffrey Meisel - XFA

unread,

Apr 14, 2015, 11:15:20 AM4/14/15

to us-govern...@googlegroups.com

Is there an easy or automated method to determine which government APIs offer CORS, without trial and effort, and manual back and forths with API owners at various agencies?

I am working on the City SDK project at Census, which aims to help interoperability issues between federal and local data. We want to add support for more federal agency APIs to the project, but are running into issues determining which APIs are intended for deployment into live apps, and specifically which ones have CORS enabled.

Thanks,

Jeff

Presidential Innovation Fellow

US Census Bureau

512-299-3139

City SDK Project Overview: http://uscensusbureau.github.io/citysdk/

Code on Github: https://github.com/uscensusbureau/citysdk/tree/master

Scrumboard: https://waffle.io/uscensusbureau/citysdk

Eric Mill

unread,

Apr 14, 2015, 12:12:35 PM4/14/15

to Jeffrey Meisel - XFA, us-government-apis

I found it a bit tricky with cURL, but this has some helpful suggestions:

https://stackoverflow.com/a/12179364/16075

Basically, you want to look for a Access-Control-Allow-Origin header, and you need to trigger the response by including an Origin header. The web server may vary though, on what URLs have CORS enabled or don't, or under what situations the headers are exposed.

-- Eric

--
You received this message because you are subscribed to the Google Groups "US Government APIs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to us-government-a...@googlegroups.com.
To post to this group, send email to us-govern...@googlegroups.com.
Visit this group at http://groups.google.com/group/us-government-apis.

--

konklone.com | @konklone

Irakli Nadareishvili

unread,

May 2, 2015, 10:34:31 AM5/2/15

to us-govern...@googlegroups.com

Unfortunately, there's no such thing as a simple "support CORS". The list of scenarios and options of what can be supported, for which methods, which headers etc. are very long. Alas, a whole bunch of APIs claiming to have CORS support also have a broken implementation, especially when it comes to proper support of pre-flighting (https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests). Which, IMHO, more of the fault of convoluted CORS spec than people trying to make sense of it, but anyway...

The CLI/curl-based solution Eric posted seems to be doing a proper job. There's also a web-based tool that doesn't seem to be too far off:

http://client.cors-api.appspot.com/client

Hope it helps,

-- Irakli Nadareishvili

https://twitter.com/inadarei

Reply all

Reply to author

Forward