CORS?
inadarei opened this issue · 2 comments
This is just my personal opinion so please feel free to take with a grain of salt, but I have found many API designers share it, so for whatever it's worth:
You may not need JSONP if you enable CORS Access-Control-Allow-Origin: * (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) in all your API responses.
Enabling it does not decrease the security of your API wee bit (many would argue JSONP is less secure) and removes a lot of complexity.
+1 for CORS and Access-Control-Allow-Origin: * on read operations. Other operations might require a different CORS rule to restrict access (write operations).
Agree 100%. Note that you do need to do a little magic to make CORS work properly in IE8. There's no support at all in IE7 and lower.
For example, you could use this jQuery plugin:
https://github.com/Ovea/cors/blob/master/src/main/resources/com/ovea/cors/jquery.ie.cors.js