Could CORS please be enabled on https://api.zotero.org/ ?
Lennart Borgman
I am trying to do a cross domain ajax request from http://www.zotero.org/ to https://api.zotero.org/. It fails.
I am new to ajax so I am not sure if my ajax request is wrong. However if I understand correctly api.zotero.org must allow CORS. Please see here:
http://www.kendoui.com/blogs/teamblog/posts/11-10-04/using_cors_with_all_modern_browsers.aspx
=============
I previously posted the above to Zotero Forums, but am reposting it here for discussion: http://forums.zotero.org/discussion/20985/is-cors-enabled-on-httpsapizoteroorg-/#Item_3
So I know the answer is "no". But I would like CORS to be allowed. As I understand it you just have to add a simple response header to all output. Could you please do that?
Dan Stillman
> I am trying to do a cross domain ajax request from
> http://www.zotero.org/ to https://api.zotero.org/.
>
> I am new to ajax so I am not sure if my ajax request is wrong. However
> if I understand correctly api.zotero.org must allow CORS. Please see here:
>
> http://www.kendoui.com/blogs/teamblog/posts/11-10-04/using_cors_with_all_modern_browsers.aspx
>
>
> =============
> I previously posted the above to Zotero Forums, but am reposting it
> here for discussion:
> http://forums.zotero.org/discussion/20985/is-cors-enabled-on-httpsapizoteroorg-/#Item_3
>
>
> So I know the answer is "no". But I would like CORS to be allowed. As
> I understand it you just have to add a simple response header to all
> output. Could you please do that?
Without additional information, this doesn't really make sense. The
point of CORS is to allow trusted domains to make cross-domain requests
to a given domain. You're essentially asking us to open up access from a
domain you don't control, which is a strange thing to ask for.
I assume you're trying to use a userscript on www.zotero.org? If that's
the case, you can make requests to www.zotero.org/api, which is
currently equivalent to api.zotero.org and what the website uses to
build library pages. We'll probably replace www.zotero.org/api with CORS
on api.zotero.org at some point, so there's no guarantee that /api will
work long-term, but we have no immediate plans to discontinue it.
Lennart Borgman
I have no idea of why cross-domain requests to api.zotero.org should be forbidden from any domain. As far as I understand CORS is about cross-domain from a browser. I guess I could call api.zotero.org from a second server, or?
I guess www.zotero.org/api will work in my case so thanks for the tip, Dan. :-)
Dan Stillman
> I am not sure what "userscript" is. My code here is a bookmarklet for
> a certain Zotero group library.
Yes, that would qualify as a userscript. It doesn't really matter here,
but my point was simply that what you asked for didn't make sense
without your specifying that you were using a local script.
> I have no idea of why cross-domain requests to api.zotero.org should
> be forbidden from any domain.
In the near future we'll be rolling out an authentication mechanism for
the API based on zotero.org session cookies. Without the same-origin
policy, an XSS vulnerability on another website could allow an attacker
to read or write to someone's Zotero library.
> I guess I could call api.zotero.org from a second server, or?
Yes.
> I guess www.zotero.org/api will work in my case so thanks for the tip,
> Dan. :-)
Great.
Lennart Borgman
>
>> I have no idea of why cross-domain requests to api.zotero.org should be
>> forbidden from any domain.
>
>
> In the near future we'll be rolling out an authentication mechanism for the
> API based on zotero.org session cookies. Without the same-origin policy, an
> XSS vulnerability on another website could allow an attacker to read or
> write to someone's Zotero library.
Oh, I see. Doesn't CORS distinguish between reading and writing?
>> I guess www.zotero.org/api will work in my case so thanks for the tip,
>> Dan. :-)
>
>
> Great.
It worked. :-)