‘I’m trying to call the SmartConnect API from my web app, but I receive this error…’
This error is returned, because Cross-origin resource sharing (CORS) is not allowed by the SmartConnect API. If the service allowed this, it would expose you to Cross-Site Request Forgery (CSRF) attacks. If we look beyond the security concerns when accessing the SmartConnect web service from a browser, there are also performance concerns, due to the nature of the SmartConnect API.
- MapRun endpoints can be long running. What happens while the map runs?
- Will the browser freezes?
- Will it lose the result of success/failure if the user browses away from the page?
- GetData endpoints will load large XML data tables to your browser that will be parsed, by the browser.
Because we can’t interact with the SmartConnect API from the browser, we need to write the app so it will run the calls to the SmartConnect API as background tasks on the server. Once the process completes, the result can be sent back to the browser. The browser should never attempt to directly access the SmartConnect API.
This is how the SmartConnect real-time integrations use the API. This will resolve both the security and performance concerns.
Security: The credentials for the SmartConnect API are not stored in the browser or passed from an unsecured location to SmartConnect. They are instead processed from the server directly.
Performance: Long running endpoints are going to be handled by the server even if a user navigates from the active page. If the GetData endpoint is called, the resulting data can be filtered/formatted on the server before being sent to the browser.
If you have any further questions, you can email us at firstname.lastname@example.org.