Document API requirements
Closed this issue · 5 comments
dbrgn commented
API endpoints should return a HTTP200 status code. Furthermore, they should set the Access-Control-Allow-Origin: *
header.
dns2utf8 commented
Security: Must not enable jsonp
dns2utf8 commented
A JSONp endpoint has some security problems
dbrgn commented
Well yes, if you use JSONP to load a SpaceAPI endpoint, then that endpoint can inject code into your page. But that's the whole point of using JSONP :)
In any case, can one even prevent the use of the JSONP technique as server operator?
Since most (all?) endpoints don't implement JSONP (and since it's not necessary with CORS headers), I don't think we need to add any rule for this.