If I have a JSON API that's protected by "Authorization: Bearer XXX" API tokens, what are the arguments against sticking these headers on it?
```python
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Authorization
```
I want users of my API to be able to access it via JavaScript from any host
The best argument I can think of is that it may encourage people to leak their private API token in publicly visible HTML documents, anything else?
Simon Willison /
npub13v…4w5eu
2024-04-06 17:22:40
Author Public Key
npub13v97j0kknscwnf5pt87nsn7cxzxwfwl3dsu7ss8qsq7ukmqgwg8q84w5euPublished at
2024-04-06 17:22:40Event JSON
{
"id": "0f75419c4becbeb1a12324ad286c9abc6a9f8fa41d5b7e36e74ae7b788f866a5",
"pubkey": "8b0be93ed69c30e9a68159fd384fd8308ce4bbf16c39e840e0803dcb6c08720e",
"created_at": 1712424160,
"kind": 1,
"tags": [
[
"proxy",
"https://fedi.simonwillison.net/users/simon/statuses/112225429753106608",
"activitypub"
]
],
"content": "If I have a JSON API that's protected by \"Authorization: Bearer XXX\" API tokens, what are the arguments against sticking these headers on it?\n```python\nAccess-Control-Allow-Origin: *\nAccess-Control-Allow-Methods: GET, POST\nAccess-Control-Allow-Headers: Authorization\n```\nI want users of my API to be able to access it via JavaScript from any host\n\nThe best argument I can think of is that it may encourage people to leak their private API token in publicly visible HTML documents, anything else?",
"sig": "d08e541cff90c5c43dfb537164d244edd9d6351ca920fbc895d3d54ab52cfb9da6742e3cd7bb60d14522e586c9933d017ef4c98ce885fda6faa240114be84176"
}