Whilst this is all true, it should be negated by your access
authentication and authorisation schema: no bot should have permission
to change anything, because no non-authorised user has permission to
change anything.
On 15/04/2013 05:11, Sanford Whiteman wrote:
Hartum, something else to keep in mind: JSONP implies GET, and GET should be
implemented as a safe method (safe == not substantively altering server state
-- think updates to transactional databases).
This guideline should be followed _whether or not_ you are sending stuff like
'&simulate_method=PUT' to clue in your back end, because it's not enough to
clue in your back end, you also have to take into account a front end like a
spider/accelerator/proxy/inspector that could silently replay GET requests (which
are actually PUTs) and cause harm.
In other words, gatewaying updates over JSONP is possible but should be
avoided; it should be for queries only. (True, redoing an emulated PUT is less
harmful than repeating a POST, since PUT should be implemented as idempotent so
you can't get duplicates. Still, plenty of havoc can ensue.) YMMV depending on
how much you control the ecosystem.
-- S.
--
---
You received this message because you are subscribed to the Google Groups "MooTools Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to mootools-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
