> On Mar 19, 2015, at 4:12 AM, Paul Moore <[email protected]> wrote: > > On 19 March 2015 at 02:57, Donald Stufft <[email protected]> wrote: >> For awhile now PyPI has supported JSONP on the /pypi/*/json API to allow >> people >> to access the JSON data in a cross origin request. JSONP is problematic >> psuedo >> standard which has niggly edge cases which make it hard to fully secure. >> Browsers have a much better standard through CORS to handle this use case. >> >> As of now this endpoint has CORS enabled on it and any new or existing >> consumers of this API should switch to using CORS instead of JSONP. Warehouse >> will not be implementing the JSONP endpoint so when we switch PyPI to the >> Warehouse code base anything still relying on JSONP will break. > > For those of us who don't know (and are too lazy to google CORS :-)) > could you provide an example of how to replace uses of the JSON API? > For example, a script I currently use has: > > url = 'https://pypi.python.org/pypi/' + args.name > req = requests.get(url + "/json") > data = req.json() > url = data['info'].get('home_page', url) > > Thanks, > Paul
If you’re using a script this doesn’t effect you, JSONP and CORS are two methods for allowing the javascript on example.com to access a JSON URL on example.net. They are ways of getting around the fact that the browser doesn't generally allow cross origin requests. JSONP is problematic for a variety of security reasons, and it exists primarily as a hack to work around the fact that browsers didn't let you make HTTP requests with javascript to another domain. CORS is the standard, supported, and secure way of doing it. It's also a heck of a lot simpler. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
