-
Notifications
You must be signed in to change notification settings - Fork 92
Cross Origin Resource Sharing (Origin header)
Bungie.net allows cross origin requests from correctly configured applications.
If your application is a Chrome extension or uses JavaScript in a web browser to call API’s on Bungie.net, you will need to configure your application’s Origin in the Bungie.net application portal. The Origin header is added by the web browser to each request sent to Bungie.net. It is a security feature that lets Bungie.net know the request may not be friendly. As long as your API key is linked to a known application, and the Origin header matches the one we have on file, the request is permitted.
You can determine your origin by examining the Request headers generated by your browser in your browser’s developer tools. Take this request from a previous example.
POST https://www.bungie.net/Platform/App/GetAccessTokensFromCode/
Host: www.bungie.net
Accept: application/json
Origin: https://example.com
User-Agent: app-platform
Content-Length: 43
X-API-Key: 6747e6eaab87471cb98620895e554c69
Content-Type: application/json; charset=UTF-8;
The Origin in this case is ‘https://example.com’ exactly as it appears in the request.
Even if your application will only call APIs that do not require authentication, you can benefit by linking your Origin to your API key. API calls that were previously not permitted due security features related to Cross Origin Resource Sharing (CORS) will start to work.
Bungie.net requires that if a platform request contains an origin header that it match the origin header registered with the application as determined by the API key in that request. If there is not a match, or the origin has not been configured for the application the request will be rejected.
This is a defense in depth measure that narrows the usefulness of an API key. Since web browsers should add the origin header outside of the control of the application, an API key used in a context where it was not intended will not work. For example, if the key is accidentally copied from a source code repository, or taken from another application. There is a long list of cases where this measure has no impact, and so it is far from a thorough security feature.
Application developers that are hindered by the origin header either because the value of the header is unpredictable due to some nuance of the platform they are using, or they have a few different origin values possible may do one of the following in the Bungie.net application portal:
- Configure the value of the origin to "*" (without the quotes)
- Provide a comma separated list of origin values (up to 200 characters total).
The "*" option provides the most flexibility, but makes the API key easier to use in unintended contexts. Specifying a single specific origin or a short list of valid origins is preferred.