11436 SSO

Cross-Origin Access Issues? An API Solution to an API-Driven Phenomenon

Alan Languirand
Sep 05, 2012

Amazon S3 recently announced support for Cross-Origin Resource Sharing (CORS). What’s the big deal? Now apps can call the S3 API directly. But weren’t apps always calling the S3 API directly? Yes and no.

Traditional web apps built on PHP, .NET, Java and other application servers were always able to call the S3 API. However, until now it was impossible for JavaScript running in a browser to call the S3 API directly. For example, if a web page were served to the browser from http://mysite.co/index.php and the JavaScript on that page tried to make a request to https://s3.amazonaws.com/mysite.com/foo.json the browser would throw an error. Something like:

“XMLHttpRequest cannot load https://s3.amazonaws.com/mysite.com/foo.json. Origin https://www.mysite.com is not allowed by Access-Control-Allow-Origin.”

The browser throws the error because http://mysite.com and https://s3.amazonaws.com are not the same origin and could, therefore, be malicious. Why then is this subtle change to direct JavaScript calls so important? Because APIs are changing everything.

As API-driven services like Amazon S3, Dropbox, Google Maps and Flickr become more and more powerful there’s less and less need to build a full web stack (check out the first few slides of Ed Anuff’s recent webcast on Building a Mobile Data Platform with Cassandra). The features a developer might have spent months building in PHP, they now get immediately at scale from API-based services. As a result, there’s no compelling need to have a web stack. Instead, you want to make the web API calls directly from the web browser.

Now that Amazon supports CORS everything is fantastic! Unless, of course, you rely on an API that you don’t control and that API hasn’t yet adopted CORS. Unfortunately, there are many app developers who rely on APIs they don’t control. And many APIs don’t yet support CORS. However, instead of resorting to an old-fashioned web stack, you can use an API proxy to solve this problem.

An API solution to an API-driven phenomenon.

With Apigee Gateway Services, you can transform any API into a CORS-compliant API without changing the original. This short screencast demonstrates how it’s done.

Scaling Microservices