top | item 7199713

(no title)

jheising | 12 years ago

Correct. Damned be the HTTP specs and REST because they are such a pain in the ass :) I built HAPI precisely because the current standards only work in a world where everyone knows how and enjoys using curl. I think you should be able to paste a URL for an API anywhere and it should just work.

For example: Here let me show you how to delete that resource using our API... Oh wait, damn. I can't show you because I have no way of sharing a link with you because it requires the DELETE verb. Just go read this documentation and get back to me when you're done. ;)

discuss

sunir|12 years ago

And I can put that delete URI in an <img src=""> and have your browser or iPhone email automatically destroy your document before you can stop it.

jheising|12 years ago

Yes and if I were a hacker, I could do the same thing with curl. Either way the only person who's likely to do it is someone who is technically savvy.

bluefinity|12 years ago

You can do the same thing with POST by submitting a form with JS. The correct way to protect against this sort of thing is to use a CSRF token.