Has anyone in TR enabled CORS in their app?
Does anyone allow "cross site" requests using CORS (Cross Origin Resource Sharing) today? If so, what benefits and risks have you found in the process?
Tagged:
3
Best Answer
-
The NewsPlus news recommendation service is CORS enabled and accessible through API garden as such. This *is* a dev/POC-level service, though. I'm in R&D after all. That said.. In a service oriented world, its hard to imagine **NOT** calling out to at least *some* services that are served by a different domain. **Benefit**: As a service provider, you make your service more accessible to a greater audience. It decouples application environment**S** (emphasis on the plural) from the service environment - a must have if you are providing the service across multiple groups or organizations. (API Garden users, there's a little extra configuration on the proxy side to let your CORS proxy through.. I don't have the details, right now, but its pretty straightforward.) **Benefit**: As a front-end application, its often necessary to pull in functionality from many different services hosted across or outside of the organization. CORS is the new way to do this across domains. The other alternative is JSONP which has its limitations. **Risk**: The user's browser has to support CORS. Most modern browsers do. See @john-ericson's answer about IE compatibility - see here for a compatibility chart: [
http://caniuse.com/cors][5] and the article he cites - [
http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx][6]. **Risk**: You may have more apps/things talking to your service than initially planned. You can mitigate this in your CORS settings by only allowing certain domains access - e.g. all *.
thomsonreutes.com and *.
westgroup.com, etc. You can also mitigate it by restricting access through API keys - like those that API Garden can provide. ---- More details... Browser security doesn't allow cross domain AJAX calls without some extra HTTP hand-shaking between the browser and the service - [
http://en.wikipedia.org/wiki/Same_origin_policy][1]. There are two ways that I'm aware of to make AJAX calls outside of the domain my "document" was served by: - JSONP - [
http://en.wikipedia.org/wiki/JSONP][2] - CORS - [
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing][3] JSONP is the old way, has limitations in what it can do and how errors can be handled. CORS is the newer and cooler way is gives you all the functionality of a same domain service. I learned about this in 2012 and here are my notes: [
https://thehub.thomsonreuters.com/blogs/lostandfound/2012/03/13/making-you-tomcat-services-cross-origin-capable][4] [1]:
http://en.wikipedia.org/wiki/Same_origin_policy [2]:
http://en.wikipedia.org/wiki/JSONP [3]:
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing [4]:
https://thehub.thomsonreuters.com/blogs/lostandfound/2012/03/13/making-you-tomcat-services-cross-origin-capable [5]:
http://caniuse.com/cors [6]:
http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx5
Answers
-
We started to, from the perspective of consuming services via XHR, but then found limitations in IE9 (and lower). Specifically that it won't support auth headers. Here are some details about IE8, but most apply to IE9 as well.
http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx3
Categories
- All Categories
- 6 AHS
- 39 Alpha
- 161 App Studio
- 4 Block Chain
- 4 Bot Platform
- 16 Connected Risk APIs
- 47 Data Fusion
- 30 Data Model Discovery
- 608 Datastream
- 1.3K DSS
- 577 Eikon COM
- 4.9K Eikon Data APIs
- 7 Electronic Trading
- Generic FIX
- 7 Local Bank Node API
- Trading API
- 2.7K Elektron
- 1.3K EMA
- 236 ETA
- 519 WebSocket API
- 33 FX Venues
- 10 FX Market Data
- 1 FX Post Trade
- 1 FX Trading - Matching
- 12 FX Trading – RFQ Maker
- 5 Intelligent Tagging
- 2 Legal One
- 20 Messenger Bot
- 2 Messenger Side by Side
- 9 ONESOURCE
- 7 Indirect Tax
- 59 Open Calais
- 264 Open PermID
- 39 Entity Search
- 2 Org ID
- PAM
- PAM - Logging
- 8.4K Private Comments
- 6 Product Insight
- Project Tracking
- ProView
- ProView Internal
- 20 RDMS
- 1.4K Refinitiv Data Platform
- 367 Refinitiv Data Platform Libraries
- 3 Refinitiv Due Diligence
- LSEG Due Diligence Portal API
- 3 Refinitiv Due Dilligence Centre
- Rose's Space
- 1.1K Screening
- 18 Qual-ID API
- 13 Screening Deployed
- 23 Screening Online
- 10 World-Check Customer Risk Screener
- 990 World-Check One
- 44 World-Check One Zero Footprint
- 45 Side by Side Integration API
- Test Space
- 3 Thomson One Smart
- 1.2K TR Internal
- Global Hackathon 2015
- 2 Specialists Who Code
- 10 TR Knowledge Graph
- 150 Transactions
- 142 REDI API
- 1.7K TREP APIs
- 4 CAT
- 21 DACS Station
- 117 Open DACS
- 1.1K RFA
- 103 UPA
- 172 TREP Infrastructure
- 224 TRKD
- 886 TRTH
- 5 Velocity Analytics
- 5 Wealth Management Web Services
- 60 Workspace SDK
- 9 Element Framework
- 5 Grid
- 13 World-Check Data File
- Yield Book Analytics
- 46 中文论坛