Support Cross-Origin Resource Sharing for resources

[cammoore]

Reported by rbrewer, Apr 12, 2010 Developers trying to use XML emitted from the WattDepot REST API in JavaScript face a problem, the same-origin policy:

http://en.wikipedia.org/wiki/Same_origin_policy

This prevents JavaScript code loaded from one site (like a Google gadget hosted at Google) from reading data on another site (like the WattDepot public server). The bogosity of the situation is described well here:

http://www.somebits.com/weblog/tech/bad/same-origin-policy-vs-jsonp.html

One solution is to support the Cross-Origin Resource Sharing W3C draft defined here:

http://www.w3.org/TR/cors/

Firefox 3.5 supports Cross-Origin Resource Sharing, and has a nice page explaining how it works:

https://developer.mozilla.org/En/HTTP_access_control

Since at the moment WattDepot contains only public data, there is no reason to restrict request to the same origin. Therefore a first cut at providing support would be to add the "Access-Control-Allow-Origin: *" header to all resource requests. Later, this should be fixed to only apply to GET requests and only to public Sources.

This only solves the problem for browsers that support Cross-Origin Resource Sharing (supposedly Firefox 3.5 and Safari 4), so we'll still need to do JSONP for broader support.

Apr 12, 2010 rbrewer r295 provides the first cut of support as discussed above.