CORS policy blocking access to cloud.snap.berkeley.edu

Hello,

I am attempting to integrate Snap4Arduino into my web app. However, I get the following error when loading it from a server (on localhost, it works fine):

Access to XMLHttpRequest at 'https://cloud.snap.berkeley.edu/api/v1/init' from origin 'https://soundscope-website.web.app' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I have tried using a proxy server as mentioned in the Snap! docs. However, that gave me the following error (both in localhost and the servers I tried deploying to, an S3 bucket on aws and Firebase):

Access to XMLHttpRequest at 'https://cors-anywhere.herokuapp.com/https://cloud.snap.berkeley.edu/api/v1/init' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

POST https://cors-anywhere.herokuapp.com/https://cloud.snap.berkeley.edu/api/v1/init net::ERR_FAILED

Any help or advice would be greatly appreciated. Thank you!

@cycomachead?

I think this is probably deliberate; we disallow cloud requests from sites not in our whitelist.

It is "cors-anywhere.herokuapp.com" error. Access is blocked by your browser. Proxy returns wrong header 'access-control-allow-origin:*' so you cannot log in with the cookie.

Your site exchanges the information between sound-scope and Snap by a postMessage. Are there any reasons to host your own Snap version?

@bh Understandable. Who could I and my team at the University of Virginia speak to regarding getting a certain domain approved for the whitelist?
@dardoro That makes sense. Yeah, I am writing custom JavaScript code that gets triggered when users complete certain actions within my own Snap! version, so I can't just use a direct Snap! project embed. Also, I am using Snap4Arduino's web app version (https://github.com/bromagosa/Snap4Arduino/releases/download/5.1.0/Snap4Arduino_web-chromium_folder_5.1.0.zip, from http://snap4arduino.rocks/).

Hi @ericstein,
And also, you will have problems with the Snap4Arduino plugin whitelist, do you know it?

https://github.com/bromagosa/Snap4Arduino/blob/master/src/platforms/web/chromium/crx/manifest.json

We can talk about this... but the issue is clear. People using Snap4Arduino plugin are people trusting in Snap4Arduino project. They allow their browser to use their serialport from Snap4Arduino code. We cannot use it to force confidence in other projects running unknown code.

Continue,
Joan

Cool!

Yeah, the whitelist lives here. Feel free to make a PR:

@cycomachead Thanks for the response; just submitted a PR with the desired sites! Just to make sure, this will allow users to authenticate with Snap! and save/load their own custom projects on our sites, correct?
@jguille2 Thank you for pointing this out; I did not know that there was a separate whitelist for Snap4Arduino. It makes sense that you are wary to give other sites full access to devices connected to the Snap4Arduino plugin. In our case, we would like to use Snap4Arduino as part of an online learning environment in which users can synthesize music using block coding via Snap! To further augment this experience, we would also like for users to be able to connect to their Arduino boards and program unique playback effects (such as lights turning on/off in sync with the music that is currently playing and being displayed on a graph). If you would like more information about our use case, I would be glad to provide it. Thank you for your consideration.