<p><a href="http://restlet.com/company/blog/2015/12/15/understanding-and-using-cors/" rel="nofollow">CORS</a> is used to relax security policy so that a browser can access content from domain B when viewing a page from domain A.</p>
<p>There are both <a href="https://mobilejazz.com/blog/which-security-risks-do-cors-imply/" rel="nofollow">security</a> and traffic/scaling implications with this. As such, I don't think it should be enabled without discussion of cost/benefit.</p>
<p>Given that bisq markets api serves only public information, I am not worried about security concerns. However, a potential for traffic overload exists.</p>
<p>With the status quo (CORS not enabled) API requests are limited to:</p>
<ul>
<li>3rd parties that exec scripts/bots outside of a browser</li>
<li>browser users that directly load an API url.</li>
</ul>
<p>With CORS enabled, any 3rd party website can link to a bisq API within any page causing all visitors to that page to load the bisq API, invisibly to the user. So the number of requests to the bisq API for a given period becomes the sum of each linking site times number of its visitors. Whereas if the linking site called the bisq API itself say every 60 seconds, then the total number of requests is closer to linear with the number of linking sites.</p>
<p>So I will turn this issue around and ask the question: <strong>Why is this needed exactly?</strong></p>
<p>Keep in mind that anyone can run Bisq software and the markets API themselves.</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/bisq-network/bisq-markets/issues/14#issuecomment-430691746">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AkpZtigNY4BbYNGtmNL1hyqYrvYkZP_Cks5ul1cEgaJpZM4XbRV8">mute the thread</a>.<img src="https://github.com/notifications/beacon/AkpZtioqGJUK8su982YDb7SULThK4GLEks5ul1cEgaJpZM4XbRV8.gif" height="1" width="1" alt="" /></p>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/bisq-network/bisq-markets","title":"bisq-network/bisq-markets","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/bisq-network/bisq-markets"}},"updates":{"snippets":[{"icon":"PERSON","message":"@dan-da in #14: [CORS](http://restlet.com/company/blog/2015/12/15/understanding-and-using-cors/) is used to relax security policy so that a browser can access content from domain B when viewing a page from domain A.\r\n\r\nThere are both [security](https://mobilejazz.com/blog/which-security-risks-do-cors-imply/) and traffic/scaling implications with this. As such, I don't think it should be enabled without discussion of cost/benefit.\r\n\r\nGiven that bisq markets api serves only public information, I am not worried about security concerns. However, a potential for traffic overload exists.\r\n\r\nWith the status quo (CORS not enabled) API requests are limited to:\r\n\r\n* 3rd parties that exec scripts/bots outside of a browser\r\n* browser users that directly load an API url.\r\n\r\nWith CORS enabled, any 3rd party website can link to a bisq API within any page causing all visitors to that page to load the bisq API, invisibly to the user. So the number of requests to the bisq API for a given period becomes the sum of each linking site times number of its visitors. Whereas if the linking site called the bisq API itself say every 60 seconds, then the total number of requests is closer to linear with the number of linking sites.\r\n\r\nSo I will turn this issue around and ask the question: **Why is this needed exactly?**\r\n\r\nKeep in mind that anyone can run Bisq software and the markets API themselves.\r\n\r\n"}],"action":{"name":"View Issue","url":"https://github.com/bisq-network/bisq-markets/issues/14#issuecomment-430691746"}}}</script>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/bisq-network/bisq-markets/issues/14#issuecomment-430691746",
"url": "https://github.com/bisq-network/bisq-markets/issues/14#issuecomment-430691746",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
},
{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"hideOriginalBody": "false",
"originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB",
"title": "Re: [bisq-network/bisq-markets] Some API outputs don't support Cross-Origin Resource Sharing (#14)",
"sections": [
{
"text": "",
"activityTitle": "**dan-da**",
"activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
"activitySubtitle": "@dan-da",
"facts": [
]
}
],
"potentialAction": [
{
"name": "Add a comment",
"@type": "ActionCard",
"inputs": [
{
"isMultiLine": true,
"@type": "TextInput",
"id": "IssueComment",
"isRequired": false
}
],
"actions": [
{
"name": "Comment",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"bisq-network/bisq-markets\",\n\"issueId\": 14,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
}
]
},
{
"name": "Close issue",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueClose\",\n\"repositoryFullName\": \"bisq-network/bisq-markets\",\n\"issueId\": 14\n}"
},
{
"targets": [
{
"os": "default",
"uri": "https://github.com/bisq-network/bisq-markets/issues/14#issuecomment-430691746"
}
],
"@type": "OpenUri",
"name": "View on GitHub"
},
{
"name": "Unsubscribe",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 393024892\n}"
}
],
"themeColor": "26292E"
}
]</script>