Cross origin issue

[pimarc]

As a MSFS developper of the GTN750 GPS, we have requests from VATSIM users to build an utility that connects VATSIM data.
Unfortunatley, we are facing a cross origin protection issue when accessing this url from inside the sim: https://data.vatsim.net/v3/vatsim-data.json via javascipt. So the data comes empty.
If you could disable the cross origin protection in your servers, this would be great.
Example to disable cross origin can be found here: https://ubiq.co/tech-blog/set-access-control-allow-origin-cors-headers-apache/
Thanks
Pierre
PMS50

[jonaseberle]

I second that it would ease developing web apps. I would also ask the dev team to consider feasibility of sending Access-Control-Allow-Origin: *.

With the current situation:
I don't know about your client, but if your JavaScript runs in your environment you can probably lower the CORS requirements on your side. That would then be the same like other apps (like VAT-Spy, Qutescoop, ...) that are currently accessing the data.
If you can't you would have to set up a little server yourself to deliver the data to your app. That's what the browser-based tools are currently doing.

Hint: Correctamente you should not fetch that URL directly. Rather get https://status.vatsim.net/status.json and fetch randomly from one of the URLs in the data.v3 array.

[pimarc]

We don't have control on the client side. This is an internal embedded browser in Microsoft Flight Simulator.
Disabling cross origin for the "coui://html_ui" domain on VATSIM side should do the trick.

[ahadley1124]

I feel that there needs to be the restricted endpoint that Vatsim uses in their own apps. There should then be a separate endpoint for developers and customers to use. This would allow them to keep the strictness on their side while also having a section dedicated to the community.

[pimarc]

Enabling this domain for cross origin control should make it to work in MSFS: "coui://html_ui"
Typically for apache in httpd.conf or .htaccess:

Header set Access-Control-Allow-Origin "coui://html_ui"

[pimarc]

Any answer about that?

Another solution would be to allow JSONP (see https://stackoverflow.com/questions/9519209/how-do-i-set-up-jsonp)
But the best solution is to add "coui://html_ui" as an authorized cross-origin.

[nharasym]

We've talked about this internally. Given how caching works we can safely add an unknown amount of new possible tools / products etc connecting. I'll update the things on our side to adjust CORS.

[pimarc]

Great news.
Making the VATSIM data available from a cockpit gauge will be a nice addition.
We'll then be able to build a VATSIM utility directly in the GTN750 instrument.
Let me know when you change the CORS setting so I can test and let you know if that works.

[nharasym]

Its been set and I've confirmed it should work.

[pimarc]

I can confirm: that works.
Thank you. We'll be able to create a VATSIM utility now.