This usually comes from client side developers using Javascript or Flash, which has a strict same origin policy (a form of security).
One of the very good guide comes from Apigee:
1. Always make it possible for your API to return JSON.
2. Support JSONP as much as you can (since you can't use it to upload data that doesn't fit in the URL) and leave it up to the users of your API to assess the security risks
3. Support CORS by returning the Access-Control-Allow-Origin header on all API responses and implementing the OPTIONS verb as specified in the CORS spec.
4. If you do the above your API will also support UMP.
5. Return a crossdomain.xml and clientaccesspolicy.xml file from the top level of your API domain for Flash and Silverlight clients.
And looks like CORS is the trend. You could do JSONP too, but that was more of a hackaround. Youtube, Dropbox, etc are all implementing CORS.
Enable CORS!
No comments:
Post a Comment