Accessing the Kiva API using jQuery.
484 views
Skip to first unread message
xlevel
Feb 9, 2009, 8:57:18 AM2/9/09
to build-kiva
Hi,
Has any else tried doing this?
The call back using $.getJSON returns the data, but causes a "invalid
label" error when the callback method is executed.
When I look at the data it starts "{"paging":{". Because of the cross
domain call I think I need to use JSONP and the data to needs to start
with the name of the callback method, and then brackets, something
like: "jsonp1234187302835({"paging":{".
Does anyone know if the API supports JSONP? If so, how to enable it?
If not, if this is going to be added in the near future?
Also, do you know if there is a JavaScript library that will allow
this?
Thanks,
Jim
Has any else tried doing this?
The call back using $.getJSON returns the data, but causes a "invalid
label" error when the callback method is executed.
When I look at the data it starts "{"paging":{". Because of the cross
domain call I think I need to use JSONP and the data to needs to start
with the name of the callback method, and then brackets, something
like: "jsonp1234187302835({"paging":{".
Does anyone know if the API supports JSONP? If so, how to enable it?
If not, if this is going to be added in the near future?
Also, do you know if there is a JavaScript library that will allow
this?
Thanks,
Jim
skylar
Feb 9, 2009, 9:56:36 PM2/9/09
to build-kiva
Jim, we don't have plans to support JSONP. Supporting this advocates
poor security practices and there are already some good ways to access
the data from JavaScript that protect your application and your
users. Here's a great article on the subject:
http://yuiblog.com/blog/2007/04/10/json-and-browser-security/
While the risk to Kiva lenders is low now since we are only dealing
with public data, allowing private lender data to be imported via
script tags is a risk further down the road. Our thought is the risk
(and complexity added to create secure applications) is not worth the
benefit to developers.
Writing a server-side proxy for the feeds you need is the most common
solution to accessing data in browser-based applications. Some other
tricks exist using iFrames. The best hope is the new breed of client-
based technologies/standards that will let browser-based JavaScript
access cross-domain resources securely ( http://dev.w3.org/2006/waf/access-control/
http://json.org/JSONRequest.html ). Some tools like BrowserPlus and
Gears let you play with these today, but you won't be able to depend
on these in the wild for a while.
As a final note, I'll point out that anyone using JSON responses in
JavaScript should either parse JSON explicitly or validate the JSON
before taking eval() to it. See here:
http://www.JSON.org/js.html
Linked from the page is a great reference implementation of the
proposed ECMAScript JSON parser interface, JSON.parse().
Cheers,
skylar
poor security practices and there are already some good ways to access
the data from JavaScript that protect your application and your
users. Here's a great article on the subject:
http://yuiblog.com/blog/2007/04/10/json-and-browser-security/
While the risk to Kiva lenders is low now since we are only dealing
with public data, allowing private lender data to be imported via
script tags is a risk further down the road. Our thought is the risk
(and complexity added to create secure applications) is not worth the
benefit to developers.
Writing a server-side proxy for the feeds you need is the most common
solution to accessing data in browser-based applications. Some other
tricks exist using iFrames. The best hope is the new breed of client-
based technologies/standards that will let browser-based JavaScript
access cross-domain resources securely ( http://dev.w3.org/2006/waf/access-control/
http://json.org/JSONRequest.html ). Some tools like BrowserPlus and
Gears let you play with these today, but you won't be able to depend
on these in the wild for a while.
As a final note, I'll point out that anyone using JSON responses in
JavaScript should either parse JSON explicitly or validate the JSON
before taking eval() to it. See here:
http://www.JSON.org/js.html
Linked from the page is a great reference implementation of the
proposed ECMAScript JSON parser interface, JSON.parse().
Cheers,
skylar
John Brennan
Feb 27, 2009, 1:48:49 PM2/27/09
to build-kiva
@skylar: i was also hoping the kiva api would support JSONP. JSONP
is no less secure than JSON itself. In both cases there is room for
forgery attacks. the only difference between JSONP and JSON is that
with JSONP you are essentially wrapping a function around it. if the
method wrapper never gets called then it never executes.
the greatest benefit though is that it saves a request and cuts down
on latency.
i hope you rethink your response. would be happy to chat more. this
is starting to get adopted by many others in the community (including
flickr and yahoo apis). :P
in a more positive tone.. i absolutely love what you guys are doing at
kiva!! a real inspiration!
cheers!
john
On Feb 9, 6:56 pm, skylar <sky...@kiva.org> wrote:
> Jim, we don't have plans to supportJSONP. Supporting this advocates
is no less secure than JSON itself. In both cases there is room for
forgery attacks. the only difference between JSONP and JSON is that
with JSONP you are essentially wrapping a function around it. if the
method wrapper never gets called then it never executes.
the greatest benefit though is that it saves a request and cuts down
on latency.
i hope you rethink your response. would be happy to chat more. this
is starting to get adopted by many others in the community (including
flickr and yahoo apis). :P
in a more positive tone.. i absolutely love what you guys are doing at
kiva!! a real inspiration!
cheers!
john
On Feb 9, 6:56 pm, skylar <sky...@kiva.org> wrote:
> Jim, we don't have plans to supportJSONP. Supporting this advocates
> poor security practices and there are already some good ways to access
> the data from JavaScript that protect your application and your
> users. Here's a great article on the subject:
>
> http://yuiblog.com/blog/2007/04/10/json-and-browser-security/
>
> While the risk to Kiva lenders is low now since we are only dealing
> with public data, allowing private lender data to be imported via
> script tags is a risk further down the road. Our thought is the risk
> (and complexity added to create secure applications) is not worth the
> benefit to developers.
>
> Writing a server-side proxy for the feeds you need is the most common
> solution to accessing data in browser-based applications. Some other
> tricks exist using iFrames. The best hope is the new breed of client-
> based technologies/standards that will let browser-based JavaScript
> access cross-domain resources securely (http://dev.w3.org/2006/waf/access-control/http://json.org/JSONRequest.html). Some tools like BrowserPlus and
> the data from JavaScript that protect your application and your
> users. Here's a great article on the subject:
>
> http://yuiblog.com/blog/2007/04/10/json-and-browser-security/
>
> While the risk to Kiva lenders is low now since we are only dealing
> with public data, allowing private lender data to be imported via
> script tags is a risk further down the road. Our thought is the risk
> (and complexity added to create secure applications) is not worth the
> benefit to developers.
>
> Writing a server-side proxy for the feeds you need is the most common
> solution to accessing data in browser-based applications. Some other
> tricks exist using iFrames. The best hope is the new breed of client-
> based technologies/standards that will let browser-based JavaScript
> Gears let you play with these today, but you won't be able to depend
> on these in the wild for a while.
>
> As a final note, I'll point out that anyone using JSON responses in
> JavaScript should either parse JSON explicitly or validate the JSON
> before taking eval() to it. See here:
>
> http://www.JSON.org/js.html
>
> Linked from the page is a great reference implementation of the
> proposed ECMAScript JSON parser interface, JSON.parse().
>
> Cheers,
> skylar
>
> On Feb 9, 5:57 am, xlevel <james.t.hu...@gmail.com> wrote:
>
> > Hi,
>
> > Has any else tried doing this?
>
> > The call back using $.getJSON returns the data, but causes a "invalid
> > label" error when the callback method is executed.
> > When I look at the data it starts "{"paging":{". Because of the cross
> > domain call I think I need to useJSONPand the data to needs to start
> on these in the wild for a while.
>
> As a final note, I'll point out that anyone using JSON responses in
> JavaScript should either parse JSON explicitly or validate the JSON
> before taking eval() to it. See here:
>
> http://www.JSON.org/js.html
>
> Linked from the page is a great reference implementation of the
> proposed ECMAScript JSON parser interface, JSON.parse().
>
> Cheers,
> skylar
>
> On Feb 9, 5:57 am, xlevel <james.t.hu...@gmail.com> wrote:
>
> > Hi,
>
> > Has any else tried doing this?
>
> > The call back using $.getJSON returns the data, but causes a "invalid
> > label" error when the callback method is executed.
> > When I look at the data it starts "{"paging":{". Because of the cross
> > with the name of the callback method, and then brackets, something
> > like: "jsonp1234187302835({"paging":{".
>
> > Does anyone know if the API supportsJSONP? If so, how to enable it?
> > like: "jsonp1234187302835({"paging":{".
>
Reply all
Reply to author
Forward
0 new messages