Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Add Support for CORS #432

Closed
matthewrobertson opened this Issue · 5 comments

4 participants

@matthewrobertson

Currently cross origin requests to the API can be made via JSONP only. JSONP does not allow for POST requests thus this effectively makes the API read only for javascript developers. It can be hacked together via server side technology such as a reverse proxy, but this is a PITA and presents a huge barrier for devs interested in hacking together an API app that might be really cool for community (the whole reason for an API to exist in the first place).

JSONP is an old school hack. A modern, standards compliant alternative to JSONP is CORS. This is the protocol that the Reddit API should be using to support cross origin requests.

If this is something you are interested adding I would be very happy to help with implementation.

@spladug
Owner

JSONP is used to provide read-only access to the parts of the API that wouldn't be a privacy or security concern to expose. If you have a specific example of a portion of the API that you would want to support CORS and that can be done so without allowing third party websites to arbitrarily execute actions as yourself, then please let us know.

@spladug spladug closed this
@matthewrobertson

Well the first step would be to allow CORS for all the GET requests that are currently allowed by JSONP. IMHO this is the "right" way to do this and it will make life easier (and improve performance) for devs that are / will use this part of the API.

But here is an example of a more complex use case: I want to build a build a mobile Reddit client using phonegap (javascript, css, html) and I want users to be able to log in and vote. Right now I can't do this without setting up my own server to proxy all the requests to the reddit api.

Why shouldn't these requests be allowed via CORS? When a CORS request comes in to the server the server knows the domain from which it originated this information is passed in headers that the client cannot spoof. The CORS cookies are not readable or writeable by the cross domain client. I don't see how supporting CORS will introduce any privacy / security concerns that cannot be prevented.

@S0lll0s

I currently can't even get the RSS feed via js because there is no CORS support... thats just not cool

@umbrae
Owner

CORS is now supported for logged out requests to the API specifically: http://www.reddit.com/r/changelog/comments/1r0u3v/reddit_change_third_party_websites_can_now_make/

@S0lll0s

Mmh, didn't work for me, but I switched to JSONP now anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.