XMLHTTPRequests (commonly called “AJAX” requests) inherit all of the authentication context of the currently logged in user, so a malicious web page could attempt to make malicious requests that cross domain contexts and cause trouble. Historically, that has made it difficult for web developers to build web applications making use of third-party APIs.
In order to prevent the aforementioned malicious cross-site attacks, Socrata automatically drops all authentication and authorization on requests that come in via CORS and JSONP. As a result, these techniques can only be used to access public datasets in a read-only fashion.
CORS is a proposed standard for allowing your web browser and a web server to negotiate and allow requests to be made across domain contexts. CORS is currently supported in modern Chrome, Firefox, Safari, and Internet Explorer (10+) web browsers. The standard itself is working its way through the W3C on its way to becoming official.
If you’re developing for older browsers, or you just feel like being nostalgic, you can also make use of our support for JSONP. Also called “JSON with Padding”, it is a technique for fooling a web browser into performing cross-origin requests using a special
<script> tag that uses the
Sounds hacky, huh? Fortunately, tools like jQuery make it easy to use JSONP:
But, as we mentioned, you should only need to use JSONP as a fallback in cases where you’re working with a browser that doesn’t support CORS.