Menu
I'm trying to use webUntis'(docs) API for a school project. For now I'm just trying to establish any kind of connection to the API.
var result; const url = 'https://api.webuntis.dk/api/status'; var xhr = new XMLHttpRequest(); xhr.open('GET',url, true); xhr.setRequestHeader('Access-Control-Allow-Origin','*'); xhr.setRequestHeader('Content-type','application/json'); xhr.setRequestHeader('Access-Control-Allow-Methods','GET'); xhr.setRequestHeader('X-API-KEY', '/*API KEY*/'); xhr.send(); xhr.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { result = xhr.responseType; console.log(result); } }; This code produces the following error message:
Cross-Origin request blocked: The same origin policy prohibits the reading of the external resource at https://api.webuntis.dk/api/status (Reason: CORS Header 'Access-Control-Allow-Origin' is missing).
How may this problem be solved? Perhaps my API key is wrong?
Disclaimer: The error message was translated from German.
482
If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.
Limiting the possible Access-Control-Allow-Origin values to a set of allowed origins requires code on the server side to check the value of the Origin request header, compare that to a list of allowed origins, and then if the Origin value is in the list, set the Access-Control-Allow-Origin value to the same value as ...
i. Turn OFF the CORS plugin, reload the app, at this time you should still get the errors which are correct. ii. Turn it back ON, reload the app, if the APIs are successful, stop here, no need to proceed to iii.
You are making a request to another site, in this case the API at api.webuntis.dk. This type of request is called a "Cross Origin Request"
For such requests to work in JavaScript, the server on their end needs to allow them.
This is done by their server sending special CORS headers, the most basic one being the "Access-Control-Allow-Origin" header.
I guess the API provider has not foreseen or planned for this API to be used from a frontend (e.g. JavaScript in the browser), so you would have to work around this.
One way is to set up your own server and have the JavaScript code make a request to your server and your server then making a request to the API, as server side code is not bound to CORS headers.
Alternatively, to try things out, you can prefix the URL with https://cors.io like this:
const url = 'https://cors.io/?https://api.webuntis.dk/api/status'; What is CORS ?
from MDN :
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to let a user agent gain permission to access selected resources from a server on a different origin (domain) than the site currently in use. A user agent makes a cross-origin HTTP request when it requests a resource from a different domain, protocol, or port than the one from which the current document originated.
SOLUTION
You need to settings the CORS permission in your server. (https://api.webuntis.dk/api/status)
Setting Example :
PHP
<?php header("Access-Control-Allow-Origin: *");
Rails
#in config/application.rb config.action_dispatch.default_headers = { 'Access-Control-Allow-Origin' => '*', 'Access-Control-Request-Method' => %w{GET POST OPTIONS}.join(",") }
note: Change * to specific URL that you want to allow CORS. '*' is highly discouraged, unless you are providing a public API that is intended to be accessed by any consumer out there.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
