CORSerror

FlightAware AeroAPI
1

When accessing aeroapi with typescript, the following error occurred.

Access to fetch at ‘http://flightxml.flightaware.com/json/FlightXML2/AirlineFlightSchedules?startDate=1646217600&endDate=1646217600&origin=RJTT&destination=RJOM’; from origin ‘http://localhost:1234’ has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response

Please help.

2

The source code for the relevant part is as follows.

export const getFlight = (
  data: {
    fromCode: string,
    toCode: string;
    startDate: string;
    endDate: string;
  }
) => {
  const url = fxmlUrl + "AirlineFlightSchedules";
  const startDate = '1646217600';
  const endDate = '1646217600';
  const fromCode = 'RJTT'
  const toCode = 'RJOM'

  restclient.get(fxmlUrl + "AirlineFlightSchedules", {
    mode: 'cors',
    username: FA_username,
    password: FA_KEY,
    query: {
      startDate: startDate,
      endDate: endDate,
      origin: fromCode,
      destination: toCode
    }
  }).on('success', function (result: any, response: any) {
    console.log(result)
    console.log(response)
  }
  )
3

AeroAPI does not support Cross-Origin Resource Sharing (CORS) requests. It’s not recommended to make AeroAPI requests through scripting in the browser due to the potential exposure of your AeroAPI credentials. A backend application server should be used to make the AeroAPI requests instead.

4

What he said… If you’re passing data to a lot of sites, they require HTTPS so that the content is encrypted. This assumes passing data in the body, not in the URL (for web peeps, an “ajax” call). And the message you are getting explicitly calls this out with:“Request header field authorization is not allowed”. The CORS error is just telling you that this site won’t accept the unencrypted HTTP accesses,. Browsers are getting very strict about this, and the ability for user to override the restriction is going away. Too many people will click “OK” on anything if it gets them what they want. It is ultimately up to the site to define if it will take HTTP and HTTPS traffic.
Note also that if your site is HTTPS and it tries to load content from a non-HTTPS site, such as graphics or worse yet code, the browser will give you a CORS error. A lot of sites that don’t have sensitive data (like the National Weather Services radar images) have HTTPS access even though the image are free to the public so that sites can use them without a CORS error.
I hope the day never comes where you are forced to use only HTTPS, since that eliminates web pages on systems where there is no external Internet access, such as a home network or (for the stuff I’m playing with) emergency responders in a incident area where there is no LTE or other access to the internet, and as such they can not use 3rd party certificates. Many browsers now will not work with self-signed certificates (or require an endless process of “are you sure” interactions).

5

Not actually a http/https problem. The underlying issue (that the CORS check is mitigating) is that you should not put the AeroAPI credentials in a script that is running in the client’s browser, because that exposes the credentials to the client. That is still a problem regardless of whether you’re using http or https. (FlightAware is almost exclusively https these days, FWIW)

I’m not sure why you think that HTTPS requires wider internet access. CRLs are about the only thing I can think of there, and they generally fail gracefully.

letsencrypt.

6

Your are correct. Credentials in the javascript is a no-no. Javascript that puts credentials in the URL is a no-no.
Agree that https is best for FlightAware since the whole idea is to use the Internet to share the data. If your use case requires connection to servers on the Internet, https/encryption is a good “play it safe” thing to do.
I looked at lets encrypt, will do that someday. Installing on Unix didn’t go well, just need to beat on it more someday… Certs are cheap, time is not.
The issues I’m having are particularly bad on Safari. Am also battling that most browser embedded in a device (cell phone) will not let you use the GPS unless the site is https. No override available. What if you don’t care if anyone sees your location information ? Sometimes it seems like the big companies are trying to help too much…
Since you’re with FlightAware Staff, let me say thanks because you guys and gals are doing a fantastic job with the Pi software and ease of installation.