I'm building a simple React app and want to display TripAdvisor photos of a specified city. TripAdvisor has an API to do this, and when I make a request through Postman, no issue. I get the data perfectly. When I make the request through a fetch call within my React app, I get a seemingly classic CORS error:
Access to fetch at 'https://api.content.tripadvisor.com/api/v1/location/[...]' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
My understanding is that this is because I'm making a call from localhost to tripadvisor.com. The mismatch is setting off the CORS error in my browser (Chrome). I get that.
What I don't understand is how anyone uses this API then. My understanding is that the issue is that TripAdvisor's not sending the required header ("Access-Control-Allow-Origin" with the value of my specified domain/IP address).
The 7 headers they send back are: Date, Content-Type, Content-Length, Connection, x-amzn-RequestId, x-amz-apigw-id, X-Amzn-Trace-Id.
Do I need to set up a proxy server as a middleman to bypass the CORS mismatch?
Is everyone who uses this API doing that?? That seems crazy to me.
All insight welcome.