In this thread it has been repeated several times that .js endpoints via GET are a security breach. And that people should stick to JSON.
Let me make clear for the archives that is not generally the case. There are valid use cases for dynamically generated public JavaScript, for example when your application exposes a widget 3rd party clients request to have their DOM modified with content. Think Disqus. I have implemented centralized rating systems for hotel providers that work that way. The potential problem happens when your JavaScript GET endpoint exposes sensitive/private data. Now, since the former is a rare use-case compared to the latter, the XHR protection should probably be enabled by default, but you need still to be able to opt-out. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
