I'm fetching google contacts in a webapp using the Google JavaScript API and I'd like to retrieve their pictures.
I'm doing something like this (heavily simplified):
var token; // let's admit this is available already
function getPhotoUrl(entry, cb) {
var link = entry.link.filter(function(link) {
return link.type.indexOf("image") === 0;
}).shift();
if (!link)
return cb(null);
var request = new XMLHttpRequest();
request.open("GET", link.href + "?v=3.0&access_token=" + token, true);
request.responseType = "blob";
request.onload = cb;
request.send();
}
function onContactsLoad(responseText) {
var data = JSON.parse(responseText);
(data.feed.entry || []).forEach(function(entry) {
getPhotoUrl(e, function(a, b, c) {
console.log("pic", a, b, c);
});
});
}
But I'm getting this error both in Chrome and Firefox:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.google.com/m8/feeds/photos/media/<user_email>/<some_contact_id>?v=3.0&access_token=<obfuscated>. This can be fixed by moving the resource to the same domain or enabling CORS.
When looking at the response headers from the feeds/photos endpoint, I can see that Access-Control-Allow-Origin: *
is not sent, hence the CORS error I get.
Note that Access-Control-Allow-Origin: *
is sent when reaching the feeds/contacts
endpoint, hence allowing cross-domain requests.
Is this a bug, or did I miss something from their docs?
Not able to comment yet, hence this answer…
Obviously you have already set up the proper client ID and JavaScript origins in the Google developers console.
It seems that the domain shared contacts API does not work as advertised and only abides by its CORS promise when you request
JSONP
data (your code indicates that you got your entry data using JSON). For JSON format, the API sets theaccess-control-allow-origin
to * instead of the JavaScript origins you list for your project.But as of today (2015-06-16), if you try to issue a
GET
,POST
… with a different data type (e.g.atom
/xml
), the Google API will not set the access-control-allow-origin at all, hence your browser will deny your request to access the data (error 405).This is clearly a bug, that prevents any programmatic use of the shared contacts API but for simple listing of entries: one can no longer create, update, delete entries nor access photos.
Please correct me if I'm mistaken (I wish I am); please comment or edit if you know the best way to file this bug with Google.
Note, for the sake of completeness, here's the code skeleton I use to access contacts (requires jQuery).
If you replace
cif.data.alt
byatom
and/orcif.dataType
byxml
, you get the infamous error 405.ps: cif is of course related to ajax ;-)