Re: [Catalyst] Re: Converting a GET request to a POST request
On Fri, Nov 26, 2010 at 3:02 PM, Aristotle Pagaltzis wrote: > * Ronald J Kimball [2010-11-23 18:00]: >> REST principles dictate that I use POST, not GET, for these >> requests. The same-origin policy forces me to use JSONP, which >> can only make GET requests, not POST. What's the solution? > > “You can’t get there from here”: you can’t use Javascript to make > unsafe requests outside the origin. > > Step back. What are you actually trying to do? > > I could imagine that eg. an OAuth-based solution could work > (wherein the user hands other sites an auth token from you, and > the sites use that token to make requests to your site on their > users’ behalf). Or maybe it’s too complicated or overkill for > you – that depends on your aim and constraints. > > So tell us about them. This is for a widget that will be hosted on third party websites. The widget will allow users of those sites to interact with our content. The widget will be written in JavaScript and HTML. The widget will retrieve content and submit user interactions using Ajax and JSONP (supposedly via a REST API :). Users will not be required to log in to interact with the content in the widget. Thank you for your feedback. Some of this is new territory for me, so being steered away from doing things the wrong way is very helpful. Ronald ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
Re: [Catalyst] Re: Converting a GET request to a POST request
I proposed a solution, the package Resty::Controller::API; example I sent earlier. Trying to write your controller using Catalyst::Action::Deserialize is a mistake, as it's not what Deserialize does. from http://search.cpan.org/~bobtfish/Catalyst-Action-REST-0.87/lib/Catalyst/Action/Deserialize.pm "This action will deserialize HTTP POST, PUT, and OPTIONS requests. It assumes that the body of the HTTP Request is a serialized object. The serializer is selected by introspecting the requests content-type header." You want to deserialize a GET request. GET requests have no body. GET requests generated by
Re: [Catalyst] Re: Converting a GET request to a POST request
On Mon, Nov 22, 2010 at 3:12 PM, Aristotle Pagaltzis wrote: > This is really, really, really bad. It’s roughly like modifying > a file system to be allow file deletion as a side effect of > opening a file. GET is supposed to be safe, that is, it should be > free of side effects that the user cannot be held responsible > for. It is very, very easy to get a browser to send GET requests > incidentally, eg. by putting the link in a `` or > a stylesheet `` and getting a user to visit. Things like > Google Web Accelerator and other automated user agents (like > search engines of course) also generally assume that GET is safe. > Much web infrastructure also assumes that GET requests are > cacheable, so if there are any proxies between the app and the > user, sending multiple pseudo-POST requests may not actually do > anything. I completely understand the points you're making here. As I said, one of the drawbacks of this solution is that it makes me feel really dirty. For what it's worth, the REST methods that I want to expose in this way are for posting responses to content. There won't be any deletes. > The same-origin policy is not there by mistake, but to keep your > users safe from malicious 3rd party sites they may visit. REST principles dictate that I use POST, not GET, for these requests. The same-origin policy forces me to use JSONP, which can only make GET requests, not POST. What's the solution? Ronald ___ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/
