The callback function passed to gadgets.io.makeRequest is called with
an object containing various attributes about the response. Those
attributes are:
text: the body of the response
data: a parsed version of the text, depending on the content-type
requested. At the moment this can be either XML or JSON.
errors: a list of errors (no semantics defined as yet)
oauthApprovalUrl, oauthError, oauthErrorText: used for OAuth responses
I've been looking at integration of gadgets.io.makeRequest with
various web apps, and I think we should add a couple of additional
parameters to that list.
rc: the HTTP response code
headers: a javascript object with HTTP headers returned from the response.
We should not return all of the HTTP headers, because most are not
useful to clients, and returning them all would waste bandwidth. I'd
like to return just the set-cookie and location headers for now. We
can add more as needed.
Comments?
Right now you can't use makeRequest to work with any site that
requires cookies. As an example, the google calendar web service
requires cookies, and so you can't use it through makeRequest.
Returning set-cookie header from a makeRequest call doesn't solve this
problem, or does it? I'd assume that we'll also need to allow
developers to set cookies through makeRequest.
What's the practical difference between allowing javascript to specify
cookies in headers vs the same parameter in a query string?
The main differences between the two mechanisms in a normal web app are:
1) Cookies are sent automatically, so developers need to think about
other mechanisms of CSRF protection if they are using cookies.
2) Referer headers can leak, so if developers are sticking secrets in
URLs they need to be careful about creating links to untrusted sites.
3) Sticking session IDs in query parameters requires careful
programming. Sticking them in cookies is easy.
AFAICT, none of those issues are relevant for apps built using
gadgets.io.makeRequest.
The one new security concern I can see is HTTP request smuggling,
where someone passes a cookie name like "foo\nbar", confusing various
HTTP proxy servers. That's a risk today, it applies to any API that
lets people specify header names or values.
Would it be possible to have a parameter in RequestParameters such
as :
<static> object GET_HEADER
if the response contains header, it return all the headers; defaults
to false.
For example, this can be useful when you want to connect to a webdav
backend.
https://issues.apache.org/jira/browse/SHINDIG-882
Thanks,
Jeremi