ERRest and JSONP?

[Jesse Tayler]

Isn't jsonp easy to support via Errest?

Security problem?

What to do when we have a JavaScript that must run on external domains?

Seems that jsonp is what is used most and it seems like a js wrapper that should be easy to put in?

Sent from my iPad
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobje...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/webobjects-dev-garchive-31333%40googlegroups.com

This email sent to webobjects-dev...@googlegroups.com

[Pascal Robert]

Because nobody added support for it :-) The only thing ERRest supports right now is Same Policy Origin and window.name:

http://wiki.wocommunity.org/display/WONDER/ERRest+Framework#ERRestFramework-SameOriginpolicy

> Isn't jsonp easy to support via Errest?
>
> Security problem?
>
> What to do when we have a JavaScript that must run on external domains?
>
> Seems that jsonp is what is used most and it seems like a js wrapper that should be easy to put in?
>
> Sent from my iPad
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (Webobje...@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:

> https://lists.apple.com/mailman/options/webobjects-dev/probert%40macti.ca
>
> This email sent to pro...@macti.ca

[Jesse Tayler]

Yes, I was reading that earlier.

It seems some suggest jsonp has security issues, but what if a UI programmer really prefers jsonp?

Has anyone implemented it or has advice or how I should redirect the technique were using for the ui here?

Sent from my iPad

[Pascal Robert]

Le 2012-03-19 à 15:55, Jesse Tayler a écrit :

> Yes, I was reading that earlier.
>
> It seems some suggest jsonp has security issues, but what if a UI programmer really prefers jsonp?

I don't know why someone would prefer JSONP than Same Origin Policy, who don't require anything on the client side (you only need something server-side to be able to answer the OPTIONS request).

> Has anyone implemented it or has advice or how I should redirect the technique were using for the ui here?

I guess JSONP would have to implemented like the window.name support.

[Jesse Tayler]

I can see that JSONP is basically just some padding that makes it resemble executable javascript, thus I presume stoking the heap with your properties.

I hear that the window.name trick has been deprecated on some newer browsers and no longer works?

I don't know about such things, but, I did read a bit here https://developer.mozilla.org/En/HTTP_Access_Control

also -- foursquare and google seem to use jsonp extensively - so, I'm not sure why that is.

can anyone point me to anywhere I might learn more about this?

[Pascal Robert]

Le 2012-03-19 à 20:10, Jesse Tayler a écrit :

>
> I can see that JSONP is basically just some padding that makes it resemble executable javascript, thus I presume stoking the heap with your properties.
>
> I hear that the window.name trick has been deprecated on some newer browsers and no longer works?
>
> I don't know about such things, but, I did read a bit here https://developer.mozilla.org/En/HTTP_Access_Control

That's the Same Origin Policy stuff, it's already in ERRest.

> also -- foursquare and google seem to use jsonp extensively - so, I'm not sure why that is.

Probably because they want to support IE 6...

[Jesse Tayler]

Sounds like I'll be implementing JSONP

Seems like there's two steps

1 implement a callback called 'callback' or make one based on a parameter sent from the client.
2 wrap the whole JSON in some seemingly standard looking javascript tags, such that it can execute as a script on the client.

so, this defined callback function gets called when data arrives at the client and poof! there's some properties to use right there in JSON.

seems like I could properly support JSONP by using an ERRest route .jsonp and look for a callback function name or return callback with the JSON and everyone should be happy, even if they do use some form of IE

suggestions?

[Rudi Angela]

In the past I used the following subclass of ERXJSONRestWriter

public class JSONPRestWriter extends ERXJSONRestWriter {

private static final Logger log = Logger.getLogger(JSONPRestWriter.class);

public void appendToResponse(ERXRestRequestNode node, IERXRestResponse response, ERXRestFormat.Delegate delegate, ERXRestContext context) {

String padding = (String) context.userInfoForKey("callbackName");

if (padding != null)

response.appendContentString(padding);

response.appendContentString("(");

super.appendToResponse(node, response, delegate, context);

response.appendContentString(")");

}

}

 

which depends on an entry 'callbackName' being set in the ERXRestContext. If this item exists then its name is used as the callback name in the JSONP padding.

Then in your entity's REST controller you should check if the incoming request is for JSONP (if it contains a 'callback' parameter) and if so add the above entry to the REST context, like so:

@Override

public WOActionResults indexAction() throws Throwable {

if (isSchemaRequest()) {

return schemaResponse(defaultFilter());

}

String callbackName =  (String) request().formValueForKey("callback");

if (callbackName != null)

restContext().setUserInfoForKey(callbackName, "callbackName");

ERXRestFetchSpecification<Precio> fetchSpec = new ERXRestFetchSpecification<Precio>(Precio.ENTITY_NAME, null, null, queryFilter(), Precio.FECHA.ascs(), 25);

return response(fetchSpec, defaultFilter());

}

This was intended as a hack and works for me. I would be interested in knowing any better solution, though.