This might be a silly question but I’m trying to get the API set up but I keep running into this issue:
> XMLHttpRequest cannot load https://www.haloapi.com/stats/h5/players/hajes/matches. Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://localhost:3000’ is therefore not allowed access. The response had HTTP status code 404.
I figure I need to add an application with http://localhost:3000 as the set site, but that hasn’t had any effect so far (although it looks like the application needs to be approved?)
So I just wanted to check that I should be able to run off of localhost?
Just checking this out. It seems to be a bug. The server (haloapi.com) is erroring out with a 404 on preflight OPTIONS requests, required for successful cross-domain requests using CORS. The server is not using the “Access-Control-Allow-Origin: *” header, and doesn’t seem to support JSON-P. Only other option is to use a proxy on a server. One advantage of doing that is that you wouldn’t disclose your API key to others, but since you’re running on localhost that wasn’t an issue.
This is not due to an error on the API side. This is a security implementation that is utilized in all web browsers, that prevents XMLHttp requests to any other domain than the one it is currently on (think how dangerous it would be if there was a way to send an XMLHttpRequest to a malicious server in the event of an XSS exploit). To circumvent this, I’d recommend you setup an endpoint on your site via PHP that sends a cURL request to the Halo API endpoints (a proxy). There is NO possible way to setup an XMLHttpRequest to any origin than your own.
Example:
On your server you have “api.php”, whereas the parameters are the same as the ones sent to the Halo API. Simply parse these parameters and send a cURL request to the Halo API and then echo the contents.
If there is demand for it, I’ll gladly write up an example really quickly!
Yeah I figured the issue might be along those lines, I’ve encountered it a few times at work.
Regarding cross-domain requests “never” being allowed, that’s not strictly true. For example I’ve been using the Spotify Web API at work and that works just fine from my localhost as long as i set localhost:/3000 as one of the approved domains (although not secure, for development it’s sufficient.)
But if you don’t mind I’d love an example of how to set up a proxy server in PHP. I’m traditionally a front-end guy and haven’t done any PHP / Server-side work since I graduated.
Thanks zCory and Der Flatulator6 for taking the time to respond.