[developers] RESTful ERG parsing

Michael Wayne Goodman goodmami at u.washington.edu
Tue Apr 19 23:32:05 CEST 2016


On Tue, Apr 19, 2016 at 1:04 PM Stephan Oepen <oe at ifi.uio.no> wrote:

> [...] mike and ned, does the above sound about right to you?  if so, i
> think
> i could provide CORS support immediately.  if that were available, do
> you see additional value in also supporting JSONP?
>

Your summary looks about right. In my previous message, I thought CORS
required a more complicated server configuration, but if it's just a header
then it does seem pretty simple. If there's no benefit, then, to using
JSON-P besides supporting older IE browsers, we probably don't need it.

I'm also becoming less fond of JSON-P because it is just a clever use of a
cross-site-scripting hack. The client sends the request by dynamically
altering their document with a new <script> element whose URL is the
request, and it then executes whatever javascript the server sends back. As
long as you trust the server, it's fine, but it's still a hack (although it
is used by some major services, such as GitHub, Google, etc.).


> On Tue, Apr 19, 2016 at 3:30 PM, Ned Letcher <ned at nedned.net> wrote:
> > [...] My understanding is that, currently, my code would have to be
> hosted off

> delph-in.net in order for it to make a successful ajax request to the API.
>

Actually I think it would have to be hosted at the same sub-domain, i.e.
erg.delph-in.net. Subdirectories are ok, though, so
erg.delph-in.net/some_application would be able to access it, but that
means the owner of the subdomain needs to manage all apps that use the API.
If the API is meant to be consumed by external apps, CORS or JSON-P is the
way to do it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.delph-in.net/archives/developers/attachments/20160419/fea410d5/attachment.html>


More information about the developers mailing list