0

Hello I 'm developing a personal api / router and as far as I know cross-domain requests are not allowed hence and the usage of jsonp - get requests. However I think it is possible to set the headers to a specific url ex:('/remote/api/{value}') on your php router to allow cross-domain-origin to everyone (but only on that url alone). And I'm wondering what should I do ? I know that the standard (if I'm not mistaken is to use jsonp) when you do cross-domain requests .

So how should I approach this? and would it be bad if I allow remote post submissions for a specific url subset ?

0x_Anakin
  • 3,229
  • 5
  • 47
  • 86

1 Answers1

0

I think you're looking for the Access-Control-Allow-Origin header. This header can be set with php (the header function) for any page you like.

You can set the value of header to a specific URL - probably your own site, or to a * to mean everything. Unless you need this, don't use it. This is only ok for a stateless API with authentication for each request. If you rely on cookies or other built in security, you're at risk for a cross-domain attack.

There are plenty of other resources about this:

Make sure you know what you're doing before using this.

Community
  • 1
  • 1
dtyler
  • 1,398
  • 2
  • 15
  • 21
  • I forgot to mention that if I implement this it will be only accessible via an api key. Wouldn't this make it safer? – 0x_Anakin Feb 28 '14 at 01:11
  • Maybe. You need to secure that token so that no one can get to it. This means using HTTPS only. Also, consider using POST only requests to avoid logging the token in access logs. The more you can do the better - so, if you can, restrict ACAO header to just the domain you need – dtyler Feb 28 '14 at 01:18