It would be incredibly helpful for web developers if Roblox disabled cross origin request blocking (by adding the ‘Access-Control-Allow-Origin: *’ header) on certain read-only web APIs which do not affect user privacy. For example:
Thumbnail APIs
Search APIs
Avatar APIs which are not associated with the authenticated user
And any other read-only APIs which do not deal with information from the currently authenticated user.
This change would open up many possibilities for 3rd party web developers in our quest to build cool tools on top of the Roblox platform, prevent us from having to use workarounds such as slow backend caching, and provide an overall better QoL for users and developers.
Please consider this change. I think it would really accelerate the speed of innovation for 3rd party web developers!
I agree. Even with my (admittedly limited) knowledge in the web development field, CORS has proven to be one of the most annoying things that we must deal with. I can’t imagine what it’s like on the Roblox APIs, which may even be the strictest ever. As you stated, it’s not required as these APIs cannot be used to request for user data, and therefore exploitative connections will not gain anything. It may be possible that Roblox has made an entire system that applies the same security policies to all of their APIs that would break one’s back to change, but we cannot be certain. Nevertheless, it would much be a QoL update for add-on developers and users.
To start: it’s better to formulate your feature requests as problems rather than as proposed solutions. The problem here is not that these endpoints have CORS restrictions, but the problem is that you as an app developer can’t pull this information currently from your app. This problem has multiple solutions, one of them being turning off CORS on the mentioned APIs.
The solution we went ahead with is that we’re going to supply Open Cloud equivalents for Thumbnail/Avatar/User API. You will be able to use these in OAuth2.0-esque scenarios instead of the existing web APIs that are not Open Cloud-enabled. I don’t have a concrete timeline but this is already in development. These APIs will be able to pull information both of the authenticated user and of other users.
I recommend posting a separate feature request explaining on the “search” part what kind of problems you are facing where you believe you need access to search APIs.
That’s great news, thanks! Sorry for the misformatting on the Feature Request - will keep this in mind going forward.
The search API was more of an example addition to the list, and not necessary for anything I’m building. The main problem I was facing is with the Thumbnail API, so I’m really glad to hear that these will soon be supported by OAuth. I really appreciate what Roblox is doing for app developers with the Open Cloud system, thanks again!