<script src="http://api.example.com/index.cfm/my/stuff.jsonp?callback=useReturnData"></script>
useReturnData([{"foo":true,"bar":false},{"foo":false,"bar":true}]);
/path/to/resource?whateverParams&x-callback=myFunction
This allows the callback to be excluded from signing considerations
(along with all other 'x-' parameters). Standardized or not is a
different question, but certainly something with huge precedent.
All told, I'm not sure supplying a callback parameter should be
sufficient to indicate a JSON/P response is desired. It certainly
makes sense to support a '.jsonp' extension (parallel to '.json', and
'.xml') as an indicator of format. However, passing the callback I
think DOES belong outside the request. So I'd propose a response
indicator (the extension) with a default callback name, and an
optional way of specifying a specific callback if that's what you
want. The important piece is that you should be able to grant someone
access to a JSON/P URL (including authorizing it) but let _them_
specify the callback method.
cheers,
barneyb
--
Barney Boisvert
bboi...@gmail.com
http://www.barneyb.com/
Now consider that same case where the URL is pointing at a JSON/P
endpoint. In this case the untrusted user is going to be using your
URL to feed data into *their* application. So you're going to be
signing a URL which allows an untrusted user to make a JSON/P request,
but you don't necessarily know how their application's internals work,
and so therefore can't necessarily know what they're going to want for
a callback. Consider the case of using jQuery to make a callback,
where you specify a URL and a callback. Perhaps the server generates
a signed URL and passes it to your JavaScript to actually invoke
(perhaps more than once, though still subject to expiration).
In that particular case, it becomes VERY important that your URL is
tightly controlled within control of the API client (because it's
going to go to an untrusted user), but at the same time the untrusted
user has to be able to interact with the URL (not the API, the URL) on
it's terms so they have to be able to specify the callback.
If you're using basic auth or an API key, for example, there's no way
to hand an authenticated request config to an untrusted user to make
the actual request, because the request has to be made with your
credential. However a signed request config CAN be passed to an
untrusted user, because it can be made (without modification) without
requiring your credential. Obviously S3 (the example above) doesn't
support JSON/P callbacks, but Twitter, for example, does. With the
Twitter API you can't give an arbitrary third party one-time use to
access your protected tweets. You can grant them permanent use via
OAuth, or you can make your feed public (so everyone has access), but
you can't go half way. With a signed URL, you CAN offer that sort of
functionality.
Does that make more sense?
cheers,
barneyb