API calls from within HTML template

html
template

#1

Hello!

I have a client that want to display data from their API in a text ticker.

I need to send a GET request with some custom header data for authentication, which is simple enough. My problem comes when the HTML producer blocks my request due the the CORS policy not allowing cross-origin requests. Has anybody done something like this? I really don’t want to set up a server just for this small ticker. Is it possible to do this withing the script of the HTML template?

Appreciate all help I can get. The deadline is approaching fast and I need to get this done.


#2

Hey @Byberg.
I am guessing you are loading the template on localhost correct? You can try adding the Access-Control-Allow-Origin meta tag and placing the domain as the value. Here is the MDN page for more info.
A bit more complicated, you could also setup a reverse proxy. But, that involves knowing some sort of web server framework.


#3

Hi thanks for the suggestions.

As far I understand it the Access-Control-Allow-Origin: * tag needs to be on the server side. In my case that would be my clients API which I don’t have access to for obvious reasons.

I’ll take a look at setting up a revers proxy. I think I need to give up on the idea of doing it all withing the template. Thanks for the tip.


#4

Try starting casparcg like this:
casparcg.exe casparcg.config --disable-web-security


#5

If you end up going with the reverse proxy route and are familiar with Express / NodeJS, I would recomend http-proxy-middleware


#6

No, that is almost never the case and it’s potentially a security risk. CORS is a client sided defense mechanism against a malicious HTML page making an HTTP request to another service using the identity of the user. (e.g. a script on google.com asking facebook.com to read private messages). This is a defense built into the browser and used to protect the end user. Setting the aforementioned header to “*” will completely disable this mechanism. Instead the specific client should disable the mechanism locally (which is OK in the case of CasparCG as a user is not signed in to any services)

As far as I know, CasparCG disables these types of security out of the box but I’m not 100% sure if that is the case in 2.0.7: https://github.com/CasparCG/server/blob/7829b13b266015752985933f703bd2fd4a8fb8d3/src/modules/html/producer/html_producer.cpp#L474

I believe it’s casparcg.exe casparcg.config --args --disable-web-security (as listed here)


#7

Just double checked and --args is not needed