0

I am writing API which is help developers to create upload functionality which works like below:

First Developer set API SECRET and create input tag and give some classes.Then he calls javascript libs for my API.So this API make this input beutiful and create some functions like this: when someone click on choose Image button and if input changed, it will send this image to my server and return image url.So developer will be able to allow user to upload their images to his API account. But problem is if my server doesn't contain header('Access-Control-Allow-Origin: *'); it will return error.How can I solve this?

John
  • 1
  • 1
  • You could add that header to the responses which allow CORS – apokryfos Feb 09 '17 at 15:27
  • @apokryfos should I add `header('Access-Control-Allow-Origin: *');` which allows for all origins? – John Feb 09 '17 at 15:28
  • @apokryfos I heard that it is unsecure but I am not sure for this case?I am afraid of someone can include my php file to their server or can use file_get_contents,or another security hole? – John Feb 09 '17 at 15:29
  • The header is only applicable when you're accessing a resource from another site, e.g., if an AJAX call in site X accesses your API which is hosted in site Y then the server will complain. A `file_get_contents` is direct access which is not what CORS access control is meant to take care of. That's what security credentials are for. – apokryfos Feb 09 '17 at 15:34
  • @apokryfos thank you for this information, I want to be sure that , it is absolutely secure to allow all origins if I create APIs right? – John Feb 09 '17 at 15:35
  • 2
    Security is meant to be taken care of using a login or some sort of authentication (e.g. oauth). CORS restrictions are not meant to protect your site. They are there to protect end users. http://stackoverflow.com/questions/4850702/is-cors-a-secure-way-to-do-cross-domain-ajax-requests has more details on what the issues with CORS really are. – apokryfos Feb 09 '17 at 15:50
  • note: header('Access-Control-Allow-Origin: *'); will not work on all browsers. Some browsers don't allow '*' in origins. – Dimi Feb 09 '17 at 15:56
  • @apokryfos thank you it solved my problem :) – John Feb 09 '17 at 15:56
  • @Dimi so how can I solve it for other browsers? – John Feb 09 '17 at 15:57

0 Answers0