Menu
It seems that most, if not all, oEmbed provider end-points do not have CORS enabled. This means I have to use JSONP (for those that support it) or go through a server proxy just to use oEmbed.
There's a corporate policy against the use of JSONP from 3rd-party providers, but I still want to leverage oEmbed in a purely client-side way (for certain providers that we trust). I understand the security implications of a CONSUMER of oEmbed and why they might not want to allow 3rd-party markup directly into their pages, but why would providers restrict this? I could just as easily have XSS vulnerabilities if I built a server proxy and didn't filter the results.
452
Just guessing:
It may be related to the preflight requests. The CORS spec states that client should send an additional OPTION request in many cases (basically, for anything outside a very basic GET or POST). It means that, at server-side, you will double your incoming requests just by providing CORS and maybe that extra load would be unacceptable.
101
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
