Please change the API's CORS restrictions

[benmanone]

I think the current CORS settings are far too restrictive, preventing the API from sharing responses with other domains. Please could the Access-Control-Allow-Origin header be modified to allow those of us who want to build web apps using the API to do so? I don't know very much about API development but I think this is a very simple task. I could try to write a PR doing this later today. Thank you

[benmanone]

Strangely, it seems like there is already a permissive Access-Control-Allow-Origin header. However any attempt on my end to make a request is left with a CORS error mentioning that the header has denied the response. This is also mentioned by several people in the original API thread referenced by the wiki.

location ~ \.php$ {
  try_files $uri =404;
  include /etc/nginx/fastcgi_params;
  fastcgi_pass    unix:/var/run/php/tatoeba.sock;
  fastcgi_index   index.php;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  more_set_headers 'Access-Control-Allow-Origin: *';
}

[jiru]

@benmanone Thanks. The code snippet you shared is a good start, however it would allow CORS for every part of the website tatoeba.org, which is rather dangerous. We don’t want that, instead we want to restrict it to the API only. But I am not sure what’s a correct and secure way to restrict the header to API requests only.

By the way, there is a new API under development (which has correct CORS headers) you can use in the mean time. It’s currently documented at https://api.dev.tatoeba.org/ but you can use the same endpoints on https://api.tatoeba.org/ already. There is also an example client.