Till senaste kommentaren
Detta inlägg är gammalt och kan innehålla inaktuell information.

Difference between SL Reseplanerare 3 and SL Platsuppslag

Hello,

I am having difficulty accessing some APIs such as SL Platsuppslag, but SL Reseplanerare 3 works fine with the exact same code executed from the same machine.

For SL Platsuppslag for instance, it seems it does not support CORS but SL Reseplanerare 3 does?

Namely this works:

    let url = "https://api.sl.se/api2/TravelplannerV3/trip.json?lang=en&searchForArrival=0&key=" + self.apiKey + "&originId=" + stationA + "&destId=" + stationB;
   
    fetch(url,{mode: 'cors', headers : {
        'Accept': 'application/json',
        'Origin' : 'https://app-settings.fitbitdevelopercontent.com'
       }}).then(function(response) {
   
      return response.json();
    })


but this doesn't:

 let url = "https://api.sl.se/api2/typeahead.json?key=" + self.acApiKey + "&searchstring=" + value + "&maxresults=4";
   
    fetch(url, {mode: 'cors', headers: {
       'Accept': 'application/json',
      'Origin' : 'https://app-settings.fitbitdevelopercontent.com'
      }}).then(function(response) {


Specifically I get this in my logs:

Fetch API cannot load https://api.sl.se/api2/typeahead.json?key=xyz&searchstring=edt&maxresults=4. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://app-settings.fitbitdevelopercontent.com' is therefore not allowed access. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Am I missing anything?

Thanks

Kommentarer

  • Hello!

    Thanks for a very good question! I'm not sure why one API supports CORS while another doesn't. I'm gonna assign the question to SL, it might be an oversight.

    A bit off topic, and also targeted to people who will read this thread in the future, but please remember to be careful when using CORS. I was not personally involved during the decision to enable CORS for some APIs, but I'm guessing it was made so that people could launch a simple front-end application for personal use only. If you want to create a public application make sure not to send your API keys to clients.

    // Kevin
    Team Trafiklab
  • Hi,

    Api.sl.se does not support CORS at the moment, and there is not decision to do so. It is likely that using it will have unpredictable results.

    Regarding the difference in api's handling it we have not noticed it before and we will have a look at it, but you should not expect CORS to work.

    Best regards
    Erik B.
  • Hi again,

    I have checked the headers from both api-calls.
    Neither of them seem to return the Access-Control-Allow-Origin header which as I understand would be he case if CORS were enabled. Is there any specific reason for you to use mode: 'cors' on a "back-end" call? Have you tried to use mode: 'no-cors' as your error message suggests?

    Best regards
    Erik B.

Kommentera eller skriv ett nytt inlägg

Ditt namn och inlägg kan ses av alla. Din e-post visas aldrig publikt.