-
Notifications
You must be signed in to change notification settings - Fork 62
CORS And JSONP
CORS and JSON-P represent ways of accessing data from an external resource whilst avoiding the same-origin policy restrictions in web browsers.
Cross origin resource sharing (CORS) is a way for web browsers to request resources from a domain other than the one JavaScript/HTML was originally loaded from. CORS works by the client sending a HTTP header called Origin and providing the originating domain name e.g. Origin: http://www.example.com. The responding server will return an Access-Control-Allow-Origin header back either with the domain of the origin or a *. This means the given domain is allowed to use the origin and not violate same origin policy or any domain can use the data and not violate the same origin policy.
Ensembl REST will return a Access-Control-Allow-Origin: * response header when any Origin request header is sent. You should consider CORS as the best way to access data in Ensembl REST from a browser.
JSON Padded (JSON-P) represents an older way of performing pan-domain requests without violating same-origin policy. It is limited to only supporting GET requests and works by a hack in browsers to allow to loading of JavaScript script files from any resource. The system works like so:
- Make a GET request and pass through a parameter called
callbacke.g.?callback=myrandomfunctionname - The remote server performs the request and generates a JSON document e.g.
{"name":"wibble"} - The remote server then pads the JSON document with a function call e.g.
myrandomfunctionname({"name":"wibble"}) - The client receives this padded JSON which is evaluated within a
<script>tag and the JavaScript developer calls the functionmyrandomfunctionnamewhich returns the JSON document - Requests are made with the MIME type
text/javascript
Whilst this methodology works well in older browsers it is not recommended because of their openness to cross-site request forgery attacks.