On Thu, Jun 26, 2008 at 10:25:27PM +0200, Frederik Ramm wrote: > Hi, > > Thomas Wood wrote: > > I think you're running into XSS limitations of browsers. You'll > > probably need to proxy the request on the same domain thats hosting > > the page. > > Someone talked to me about this at the LinuxTag. He was adamant that our > API should support JSON (in addition to XML) as a return data format. He > said that a JSON message would be valid JavaScript and thus it could be > loaded <script>-like into a JavaScript app, circumventing the > same-origin policy that applies to XmlHttpRequest.
That's sort of true. (Specifically, your API has to support an arbitrary 'callback' parameter, to wrap the Javascript *object* in a function. At least, that's how every service and all code I've used have done it.) Note that this doesn't actually require that we stop returning XML: we could return XML wrapped in a JSON response, and then just parse the xML as a string (which OpenLayers has the ability to do); this would eliminate the need for much code, just meaning you'd add a rails bit to take ?callback= to mean 'wrap the XML in a string and a function_call()'. > I said why bother, people can easily proxy requests if they want, but he > said that there's a large group of possible users that wouldn't be able > to set up a proxy and for whom a JSON interface would be an absolute > requirement. I agree that this is true. > I don't even know if there was any merit to his ramblings, technically - > can you really dynamically load JOSN data from other hosts? You can dynamically load Javascript from other hosts, and in that, you can wrap up JSON. It is a commonly used technique, and since the mechanism is the same as the mechanism by which Javascript *code* is loaded, there's no differentiating between it and something like the Google Maps API, or OpenLayers. There are some security risks associated with this if you have private data, but that doesn't apply to OSM -- there is no "GET" request that requires authentication and provides non-public information, afaik. Proxying isn't that hard. However, if you really don't have *any* server side to work with -- think googlepages, other FTP-only hosting mechanisms, etc. -- then it is true that data embedded in a Javascript function call is a way to avoid cross-site restrictions. Regards, -- Christopher Schmidt MetaCarta _______________________________________________ talk mailing list [email protected] http://lists.openstreetmap.org/cgi-bin/mailman/listinfo/talk
