JSONP question for making PUT/POST/DELETE cross-domain requests

3.3k views Asked by At

I've created a RESTful API that supports GET/POST/PUT/DELETE requests. Now I want my API to have a Javascript client library, and I thought to use JSONP to bypass the cross-domain policy. That works, but of course only for GET requests.

So I started thinking how to implement such a thing and at the same time trying to make it painless to use.

I thought to edit my API implementation and check every HTTP request. If it's a JSONP requests (it has a "callback" parameter in the querystring) I force every API method to be executed by a GET request, even if it should be called by other methods like POST or DELETE.

This is not a RESTful approach to the problem, but it works. What do you think?

Maybe another solution could be to dynamically generate an IFrame to send non-GET requests. Any tips?

2

There are 2 answers

1
Tom Christie On BEST ANSWER

There's some relevant points on a pretty similar question here...

JSONP Implications with true REST

The cross-domain restrictions are there for a reason ;-)

Jsonp allows you to expose a limited, safe, read-only view of the API to cross domain access - if you subvert that then you're potentially opening up a huge security hole - malicious websites can make destructive calls to your API simply by including an image with an href pointing to the right part of the API

Having your webapp expose certain functionality accessed through iframes, where all the ajax occurs within the context of your webapp's domain is definitely the safer choice. Even then you still need to take CSRF into consideration. (Take a look at Django's latest security announcement on the Django blog for a prime example - as of a release this week all javascript calls to a Django webapp must be CSRF validated by default)

0
Poyoman On

The Iframe hack is not working anymore on recent browsers, do not use it anymore (source : http://jquery-howto.blogspot.de/2013/09/jquery-cross-domain-ajax-request.html)