CORS problems around API

[humitos]

We currently support JSONP on APIv2 in the Footer HTML endpoint only.

Supporting JSONP on APIv3 will allow to query the API from different custom domains.

Suggested at #6152

[stsewd]

We shouldn't use jsonp for new code, we should use a CORS solution instead. And for public and read only endpoints.

[humitos]

@stsewd

We shouldn't use jsonp for new code

Why not?

we should use a CORS solution instead

How is that solution?

[stsewd]

jsonp is to get around CORS, we are opening too much with that, I linked this in other of our projects (private). You can read the warning on this project for example https://jpadilla.github.io/django-rest-framework-jsonp/.

This lib is for handling CORS on django https://github.com/adamchainz/django-cors-headers and it's recommended from django rest framework https://www.django-rest-framework.org/topics/ajax-csrf-cors/#cors

[humitos]

Thanks @stsewd for the data!

We already have django-cors-headers installed and it seems that we have been using it already for Ads. Although, I think we can improve its settings and enable it on the API as well.

[humitos]

I'm closing this issue because it's old and it does not adds value to the current situation. We have talked about CORS recently and we are working on the changes required.

[jobisoft]

This was closed without pointing to the current discussion. Where can I follow the progress?

I am not able to access the API from <projectslug>.readthedocs.io and also not from the custom domain setup for the project, and I find no public reference to CORS related hiccups besides this closed issue. Any help is appreciated.

[humitos]

Hi @jobisoft

This was closed without pointing to the current discussion. Where can I follow the progress?

The discussion wasn't public. We will update the documentation for our API to reflect these decisions soon.

I am not able to access the API from <projectslug>.readthedocs.io and also not from the custom domain setup for the project, and I find no public reference to CORS related hiccups besides this closed issue. Any help is appreciated.

What API endpoints are you using?

You should probably use the Proxied API that we designed for this particular case: instead of hitting readthedocs.org/api/ you should use <projectslug>.readthedocs.io/_/api/ (or just /_/api/ without caring where your RTD site is hosted --.readthedocs.io or custom domain). Please, let me know if this works for you.

[jobisoft]

@humitos : Thanks for your response. The endpoint I am currently using is this:
https://readthedocs.org/api/v2/version/?project__slug=thunderbird-webextension-apis&active=true

The page itself is here:
https://thunderbird-webextensions.readthedocs.io/en/latest/

But I cannot seem to get the proxy endpoint running:
https://thunderbird-webextensions.readthedocs.io/_/api/v2/version/?project__slug=thunderbird-webextension-apis&active=true

I also tried v3 at
https://thunderbird-webextensions.readthedocs.io/_/api/v3/projects/thunderbird-webextension-apis/versions/

Could you point me to documentation regarding proxy API? It definitely would solve my issues.

Thanks for your time!

[stsewd]

@jobisoft we only proxy APIs that are commonly used from docs sites, like search, embed and footer. We won't be able to proxy all endpoints as they depend on the codebase from the main site. We are going to add a better (public) footer api for users to use #8052

[jobisoft]

Thanks for your support, really appreciated.

My use case is the popular version warning extension, which can add banners to a readthedocs page and inform users, if they are looking at an outdated version. The beauty of the API usage there: All old versions could add pointers to all other available versions without being manually updated each time a new version has been released.

I solved this now by manually including a static json file in my "latest" version, which holds the information I would get back from the API. Since all old versions now fetch the file from the "latest" version, they will always be up to date again and I only have to update my static json. Maybe that helps others in the meantime.

Looking forward to the upcoming changes in the footer API!