So I’m trying to experiment with some web service APIs (from a public service), and I was hoping to use JavaScript from a local file running in caddy.
When I check my console for the test output I get the following message “Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://ssapi.shipstation.com/orders. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).”
That’s fine.
I pop over to the caddy server site, look up CORS, find the plugin, download 0.11.0 with the plugin. Put the file in the same folder as before, thus back in my path.
Restart the server … and still get a CORS error.
Check into the docs and update my caddyfile.
Restart … still errors in the console.
I’m sure I’m missing something simple, but I’m just not seeing it.
Here is my caddyfile
localhost:2020 {
cors
gzip
log access.log
browse /js/userscripts
}
Haven’t mucked about with CORS much, but doesn’t https://ssapi.shipstation.com/orders need to add that header to allow you to access their resources from your own domain?
What @Whitestrake says is correct; the ssapi.shipstation.com/orders endpoint needs to allow access to the resource it’s providing.
Since I’m guessing you don’t control that endpoint and can’t change the headers, you can easily work around this by making your own API on your own domain (in this case localhost:2020, because the scheme, hostname and the port name must match for the same origin policy to apply) that calls the endpoint you’re interested in and just passes you back the response.
How you do that is of course up to you though.
Edit: The accepted answer here goes over CORS and SOP in an easy to understand way, so it might be worth a read: