After discussing possible options with @Timo614 the most feasible solution to the lack of CORS support in IE 9 for today's UFC launch seems to be using JSONP for all requests. This allows us to continue accessing the API over HTTPS. JSONP doesn't work for POST requests however, so inspired by Stripe @Timo614 is going to be writing middleware that converts GET requests that include a _method=post parameter to POST so that we minimize changes to the existing implementation, particularly on the frontend. This solution may have some undesirable security implications that we'll need to consider further.
The most sensitive data we are transferring presently are passwords that grant access to a forum and affiliate codes. Alternative solutions would most likely require the use of iframe's which may be a longer term solution but would require further development and testing that we probably cannot afford today.
This pull request has what I think are the only necessary changes to support this implementation. Will need to test once the middleware is deployed for testing however.
After discussing possible options with @Timo614 the most feasible solution to the lack of CORS support in IE 9 for today's UFC launch seems to be using JSONP for all requests. This allows us to continue accessing the API over HTTPS. JSONP doesn't work for POST requests however, so inspired by Stripe @Timo614 is going to be writing middleware that converts GET requests that include a
_method=postparameter to POST so that we minimize changes to the existing implementation, particularly on the frontend. This solution may have some undesirable security implications that we'll need to consider further.The most sensitive data we are transferring presently are passwords that grant access to a forum and affiliate codes. Alternative solutions would most likely require the use of iframe's which may be a longer term solution but would require further development and testing that we probably cannot afford today.
This pull request has what I think are the only necessary changes to support this implementation. Will need to test once the middleware is deployed for testing however.