11

As most people know, Postman is made in Electron. However, it does not run into CORS issues when attempting to make API calls. If a normal user packaged a simple electron app that made API calls using Fetch/XHR however, they will be blocked by endpoints that have a CORS policy. My question is, how does Postman get around this, and is there a setting or flag in Electron that lets my own app do the same? I read here and here that "Postman is a dev tool" but that isn't a in depth response, since Postman is an Electron app that would theoretically be running in Chromium (aka a browser). I'd appreciate anyone who could provide some headway in this topic!

erli
  • 358
  • 4
  • 16

2 Answers2

11

Do not forget that electron is not just Chromium, but also packages a Node. Which can also make HTTP requests. Without any Same Origin Policy, hence no CORS limitation.

I suspect Postman actually performs the HTTP request from its Node part (main process).

ghybs
  • 47,565
  • 6
  • 74
  • 99
  • Would there be any possibility that Postman routes requests through some kind of internal proxy? – erli Jul 16 '19 at 17:44
  • 1
    What for? You could consider the electron main process such an "internal proxy", but it is just irrelevant in this case, because there is nothing that forces Postman to originate its request from the Chromium renderer process. By starting the requests from the Node main process, there is no SOP, hence no need for proxy. – ghybs Jul 16 '19 at 17:55
  • 1
    This is probably how Postman does it. I did the same thing in my own Electron app for this very reason. It's pretty easy to do with the IPC modules built-in to Electron. – CoryCoolguy Jul 16 '19 at 19:30
  • @CoryCoolguy would you be able to show a demo of how it can be done? I assume that you would use `https` or `http` in `Main.js` or `preload`? – erli Jul 16 '19 at 21:04
  • 4
    I used `request`, but you could use `http` too. I start by [asking the main process](https://github.com/CorySanin/Kitten-for-CSGO/blob/f9435fc8f8bb54f9407a4274aaa5ee3cd1f3fbd0/server.js#L244) to perform the request. Then I [use request and send back the relevant data](https://github.com/CorySanin/Kitten-for-CSGO/blob/f9435fc8f8bb54f9407a4274aaa5ee3cd1f3fbd0/main.js#L162). Then I can [listen for the response in the renderer](https://github.com/CorySanin/Kitten-for-CSGO/blob/f9435fc8f8bb54f9407a4274aaa5ee3cd1f3fbd0/server.js#L306) (aka the chrome window). – CoryCoolguy Jul 16 '19 at 21:45
  • 1
    @CoryCoolguy very nice example! Thank you for reminding me that Counter-Strike is still such a thing. I like this creative usage of OSS for customization ;-) – ghybs Jul 17 '19 at 02:12
3

You can disable web security on Electron (Chromium). That will enable you to get around CORS.

https://stackoverflow.com/a/55741491/3947422 https://github.com/electron/electron/issues/23664#issuecomment-631674094

Ashish
  • 325
  • 3
  • 9