* Ronald J Kimball <[email protected]> [2010-11-23 18:00]: > For what it's worth, the REST methods that I want to expose in > this way are for posting responses to content. There won't be > any deletes.
Still, it opens you up to hostile third-party sites injecting 15,000 bogus responses on behalf of a user. > On Mon, Nov 22, 2010 at 3:12 PM, Aristotle Pagaltzis <[email protected]> wrote: > >The same-origin policy is not there by mistake, but to keep > >your users safe from malicious 3rd party sites they may visit. > > REST principles dictate that I use POST, not GET, for these > requests. The same-origin policy forces me to use JSONP, which > can only make GET requests, not POST. What's the solution? “You can’t get there from here”: you can’t use Javascript to make unsafe requests outside the origin. <mst>Step back.</mst> What are you actually trying to do? I could imagine that eg. an OAuth-based solution could work (wherein the user hands other sites an auth token from you, and the sites use that token to make requests to your site on their users’ behalf). Or maybe it’s too complicated or overkill for you – that depends on your aim and constraints. So tell us about them. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/> _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
