Document API requirements

Question

Document API requirements

Closed this issue 5 years ago · 5 comments

API endpoints should return a HTTP200 status code. Furthermore, they should set the Access-Control-Allow-Origin: * header.

Answer 1 · 2017-01-24T15:18:39.000Z

Security: Must not enable jsonp

Answer 2 · 2017-01-24T16:32:21.000Z

@dns2utf8 What exactly do you mean with that?

Answer 3 · 2017-01-24T20:03:04.000Z

A JSONp endpoint has some security problems

Answer 4 · 2017-01-25T07:41:05.000Z

Well yes, if you use JSONP to load a SpaceAPI endpoint, then that endpoint can inject code into your page. But that's the whole point of using JSONP :)

~~In any case, can one even prevent the use of the JSONP technique as server operator?~~

Since most (all?) endpoints don't implement JSONP (and since it's not necessary with CORS headers), I don't think we need to add any rule for this.

Answer 5 · 2019-08-24T16:40:31.000Z

Added by #30