[Catalyst] Re: Converting a GET request to a POST request

Aristotle Pagaltzis pagaltzis at gmx.de
Fri Nov 26 20:02:59 GMT 2010

* Ronald J Kimball <rkimball at pangeamedia.com> [2010-11-23 18:00]:
> For what it's worth, the REST methods that I want to expose in
> this way are for posting responses to content. There won't be
> any deletes.

Still, it opens you up to hostile third-party sites injecting
15,000 bogus responses on behalf of a user.

> On Mon, Nov 22, 2010 at 3:12 PM, Aristotle Pagaltzis <pagaltzis at gmx.de> wrote:
> >The same-origin policy is not there by mistake, but to keep
> >your users safe from malicious 3rd party sites they may visit.
> REST principles dictate that I use POST, not GET, for these
> requests. The same-origin policy forces me to use JSONP, which
> can only make GET requests, not POST. What's the solution?

“You can’t get there from here”: you can’t use Javascript to make
unsafe requests outside the origin.

<mst>Step back.</mst> What are you actually trying to do?

I could imagine that eg. an OAuth-based solution could work
(wherein the user hands other sites an auth token from you, and
the sites use that token to make requests to your site on their
users’ behalf). Or maybe it’s too complicated or overkill for
you – that depends on your aim and constraints.

So tell us about them.

Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst mailing list