We are trying to access canvas API’s from our web page(different domain). During the process, while attempting to fetch data we are getting CROS policy error (screenshot attached). We assume that there should be some config file added in the root folder of Canvas server in order to access API from our website.
Can someone help me in adding our server to canvas ?
Aside from the CORS message, your image includes an access token. You should immediately invalidate that token since you've now put it on the web for people to see. That is basically giving anyone access to your Canvas installation as that user. See How do I manage API access tokens as an admin?
As for the CORS issue, you're trying to access focusedsolutions.instructure.com from wow.focuseduvation.com. Those are not the same domain, so that's why you're getting the error.
We assume that there should be some config file added in the root folder of Canvas server in order to access API from our website.
This is not a valid assumption. You want Canvas to weaken their security to support your website when you've demonstrated that you don't understand how their security model works. That's a recipe for disaster and it's not going to happen.
Canvas does have a content security policy that you control. We haven't enabled it and I'm not completely sure what you're trying to do, but you may look into it. How do I manage the Content Security Policy for an account?
Hi James & Stefanie,
Thanks for your reply and removing the attachment.
The access token was created using Oauth2(https://canvas.instructure.com/doc/api/file.oauth.html#oauth2-flow) and the token was expired by the time I posted my query.
We are trying to access user details and course details API, we wanted those to be displayed in our web-page.
We will try to enable Setting and try to add our domain(wow.focuseduvation.com), hopefully this may solve CROS policy error, correct me if I am wrong.
We have also added web.config in the root of our domain.
Hope for the best
Coming from a Linux world, I had not heard of web.config. It appears to be a Microsoft thing. It has nothing to do with Canvas.
The same-origin issue is on the Canvas side. Telling your server that it's okay to connect to Canvas and bypass CORS doesn't impact Canvas in the slightest. That wouldn't provide any real security if the calling end could override it. What you control on your server is for sites that are connecting to your server, not what your server is connecting to. Neither will trying to lie to the Canvas server with a host header to claim you're from the same origin.
Another way to handle this is that you can setup Canvas to transfer information such as the course and some details about the user with the LTI connection. Then you would have that without having to make an API call to Canvas to get it.
Here are some previous questions in the Community about other people having this problem. They discussion around them may prove beneficial.
Here are a couple of links to the Mozilla Developer Network that explain the same-origin policy and CORS.
Good evening, @shreeram_r ...
I am reviewing some of the older questions here in the Canvas Community, and I stumbled upon your question. I wanted to check in with you because there hasn't been any new activity in this topic for quite some time. It looks like @James has been helping you with your question. Do you feel that James has helped to answer your question? If so, please feel free to click on the "Mark Correct" button next to one of his replies. However, if you are still looking for some help from Community members, please let us know by posting a note below. For the time being, I am going to mark your question as "Assumed Answered" because there hasn't been any new activity in this topic for almost six months. However, that won't prevent you or others from posting additional questions and/or comments below that are related to this topic. I hope that's okay with you, Shreeram. Looking forward to hearing back from you soon.