2

I wrote the following JavaScript to call a Smartsheet API:

$.get( "https://api.smartsheet.com/1.1/users/sheets", "Authorization: Bearer [My Access token]" )
.done(function( data ) {
    alert( "Data Loaded: " + data );
});

But this threw the following error:

XMLHttpRequest cannot load https://api.smartsheet.com/1.1/users/sheets?Authorization:%20Bearer%[My Access token]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

After some reading, I realized the code had to make a cross-origin resource sharing (CORS) request. I came upon the following code to do that using jQuery from here:

function createCORSRequest(method, url) {
      var xhr = new XMLHttpRequest();
      if ("withCredentials" in xhr) {
        xhr.open(method, url, true);
      } else if (typeof XDomainRequest != "undefined") {
        xhr = new XDomainRequest();
        xhr.open(method, url);
      } else {
        xhr = null;
      }
      alert("cors created");
      return xhr;
}

var xhr = createCORSRequest('GET', "https://api.smartsheet.com/1.1/users/sheets?Authorization=Bearer+[My Access token]");
if (!xhr) {
    throw new Error('CORS not supported');
}
xhr.onload = function() {
    var text = xhr.responseText;
    alert('Response from CORS request: ' + text);
};
xhr.onerror = function() {
    alert('Woops, there was an error making the request.');
};
xhr.send();

However, this again produces the same error in my browser console:

XMLHttpRequest cannot load https://api.smartsheet.com/1.1/users/sheets?Authorization=Bearer+[My Access token]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Am I headed in the right direction? How can I fix the issue?

Thanks.

Community
  • 1
  • 1
raul
  • 1,209
  • 7
  • 20
  • 36
  • The change must occur server side. The server must provide the 'Access-Control-Allow-Origin' header. – Denys Séguret Aug 12 '14 at 07:04
  • 1
    since it is a cross domain request... the target api should either support CORS or jsonp... – Arun P Johny Aug 12 '14 at 07:05
  • Does that answer your question : http://stackoverflow.com/questions/12901815/xmlhttprequest-access-control-allow-origin-when-url-is-not-complete ? – Denys Séguret Aug 12 '14 at 07:06
  • Complementary reading : http://enable-cors.org/ – Denys Séguret Aug 12 '14 at 07:07
  • 1
    @dystroy: But I can't change the server. If the server does not provide the 'Access-Control-Allow-Origin' header, in what other way can I make this work? – raul Aug 12 '14 at 07:20
  • As I mentioned in the linked answer, if you can't change the server and if it doesn't provide any suitable API, you can still proxy the content on your own server. But be careful that this probably goes against that site's policy. – Denys Séguret Aug 12 '14 at 07:23

1 Answers1

1

As has been alluded to in the comments, the Smartsheet API does not currently support CORS.

stmcallister
  • 1,682
  • 1
  • 12
  • 21
  • 2
    stmcallister is correct. We don't currently support a JS interface to our API, and CORS is not supported. Your other option is jsonp - which enables greater backward compatibility but is limited to GETs only http://stackoverflow.com/questions/12296910/so-jsonp-or-cors. Another quick point - I suspect you already know this - but I would strongly discourage you from making this JS code available on a public website because anyone will be able to read your API access token. – avioing Aug 12 '14 at 17:23
  • 1
    Won't jsonp also fail because you can't send headers along? The SS API requires an Authorization header. – skybondsor Jan 02 '15 at 01:50