0

Please bear with me if my post title seems vague, as Im not entirely knowledgeable on web/server components and terminologies, any corrections will be appreciated upon stating the issue.

Way back days ago, I'm doing good with API calls, smooth transactions back and forth, until certain requirements came down and implemented for Security reasons when accessing our API, they have this Cross Domain Policy or CORS for such requirements, now I cannot access the API anymore, my current understanding is the following

  • All API callers are listed on the API code/configuration

  • if the caller is not found on the list of the configuration, return an error(prohibit a network transaction)

  • this configuration of our API was configured ONLY for specific Website api callers, because the API has the list of domains that can be accepted for transactions

,I do understand the constraints the API currently has, I just cant figure out where to start searching for solution, or event single-word terminology I needed to start solving the issue, they told me to search for something called "URL referrer", but I got no luck searching for it like "Configure URL Referrer in Retrofit2" or "Intercept request for Cross Domain Policy using Retrofit2

my current thinking and approach for the solution are the following

  • how can I introduce myself to the API like (my domain is or I am http//im.authenticated.android.caller.com), given that it is listed on the API configuration

  • or How can i intercept the request and tell the API "Hey This is my identification, if I'm listed on your domain list, or any list, can you grant my network request?"

  • or how can I intercept, see and modify the origin caller in retrofit2

I really need some help where to start,

Any help will be greatly appreciated.

Robert
  • 141
  • 1
  • 13

2 Answers2

0

Is this what they mean by URL referrer?

The HTTP referer (originally a misspelling of referrer) is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated. Wikipedia

If so, it sounds like you could add/edit the referrer header field in the interface declaration:

public interface UserService {  
    @Headers("Referer: http//im.authenticated.android.caller.com")
    @GET("/tasks")
    Call<List<Task>> getTasks();
}

Note the misspelling, "Referer" not "Referrer". Intentional.

The example is adapted from this tutorial.

nasch
  • 5,330
  • 6
  • 31
  • 52
  • thank you for the response, but currently its about the "origin", they say I should be able to change the "origin header" :( – Robert May 03 '17 at 07:31
  • Then try Origin instead of Referer. Not sure that will work, it sounds like origin is a special kind of header. – nasch May 03 '17 at 14:50
  • yeah thanks so much, I also tried that, until they explained everything to me that the "CORS/Cross Domain Policy configuration thing" will only run between server-to-server, what it means that , the receiving server (API) will only grant caller (client) which came from an identified server. In my case, a network call from a mobile app is considered a "client", therefore I am restricted to access it. – Robert May 04 '17 at 02:41
  • anyway we just decided to put a header in the request and just make a white list of allowed client callers(mobile apps) on the API-server. But thanks so much for providing an answer as this will be a good solution in case I encounter a specific issue about "URL referer" – Robert May 04 '17 at 02:41
0

The infrastructure team just roughly explained to me the technical details about implementing a CORS or Cross Domain Policy configuration on the server that holds the API, we just realized that the configuration are exclusive only between the API's server and the Client Web Applications' Server, so there are certain HTTP protocols that ONLY a client web application's server can provide for the API server to grant an access for a network transaction, and as a mobile application(Client), Im not capable to provide such information for a granted access. As a result, we all decided to put a header on the request, come up with some encrypted parameters and put a white list on the API server for the mobile application API access.

I dont have sufficient knowledge regarding Server or Back-end systems and configuration, so if there is something Im missing such as if Retrofit or Android has some way to configure and access towards a CORS configured server, please feel free to comment or providing a link will be greatly appreciated.

Robert
  • 141
  • 1
  • 13