benbunk
commented
11 years ago +1 for CORS and Access-Control-Allow-Origin: * on read operations. Other operations might require a different CORS rule to restrict access (write operations).
Open inadarei opened 11 years ago
benbunk
commented
11 years ago +1 for CORS and Access-Control-Allow-Origin: * on read operations. Other operations might require a different CORS rule to restrict access (write operations).
hay
commented
11 years ago Agree 100%. Note that you do need to do a little magic to make CORS work properly in IE8. There's no support at all in IE7 and lower.
For example, you could use this jQuery plugin:
https://github.com/Ovea/cors/blob/master/src/main/resources/com/ovea/cors/jquery.ie.cors.js
This is just my personal opinion so please feel free to take with a grain of salt, but I have found many API designers share it, so for whatever it's worth:
You may not need JSONP if you enable CORS Access-Control-Allow-Origin: * (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) in all your API responses.
Enabling it does not decrease the security of your API wee bit (many would argue JSONP is less secure) and removes a lot of complexity.