[bisq-network/bisq-markets] Some API outputs don't support Cross-Origin Resource Sharing (#14)
dan-da
notifications at github.com
Wed Oct 17 16:12:52 UTC 2018
[CORS](http://restlet.com/company/blog/2015/12/15/understanding-and-using-cors/) is used to relax security policy so that a browser can access content from domain B when viewing a page from domain A.
There are both [security](https://mobilejazz.com/blog/which-security-risks-do-cors-imply/) and traffic/scaling implications with this. As such, I don't think it should be enabled without discussion of cost/benefit.
Given that bisq markets api serves only public information, I am not worried about security concerns. However, a potential for traffic overload exists.
With the status quo (CORS not enabled) API requests are limited to:
* 3rd parties that exec scripts/bots outside of a browser
* browser users that directly load an API url.
With CORS enabled, any 3rd party website can link to a bisq API within any page causing all visitors to that page to load the bisq API, invisibly to the user. So the number of requests to the bisq API for a given period becomes the sum of each linking site times number of its visitors. Whereas if the linking site called the bisq API itself say every 60 seconds, then the total number of requests is closer to linear with the number of linking sites.
So I will turn this issue around and ask the question: **Why is this needed exactly?**
Keep in mind that anyone can run Bisq software and the markets API themselves.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq-markets/issues/14#issuecomment-430691746
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20181017/eabf5a50/attachment.html>
More information about the bisq-github
mailing list