Our company is in the process of implementing JSON apis for our services, and we’ve run into a serious limitation in JSONscriptRequest: it causes Internet Explorer to leak memory. See this for details — even after you remove the script tag from the document head, IE decides to keep all of the js text around for, oh, some reason.

Given that we’re rolling this out on a serious scale (involving sending sometimes hundreds of kB of json across the communications channel every five minutes or so) this was causing serious problems.

We’ve worked around this problem by rewriting JSONscriptRequest; instead of attaching a script tag to the document head, we add an iframe element to the page instead, which points to a cgi which loads the json script…….. This is obviously not something we wanted, but since IE stubbornly refuses to garbage collect as well as the other browsers, we don’t see any choice.

If you email me I can send you a test case which illustrates the problem.

–Greg

For instance, let’s say I have an application running on a server which serves out functionality through a json api. I’ll call this server the parent.

I then have a customer who wants to build a public website (which I’ll call child1) where all the data processing is handled by the parent through the API. I then have customer number 2 who wants to do the same thing with an app they accessed through child2. Repeat repeat repeat.

With the assumption that the customer data contains sensitive information, is building this type of application feasible? If I take the approach detailed here, I would dynamically include script tags which would interact with the api on the parent. Is there a way to lock down the api to the approved children where other parties could not interact with the API themselves?

The first thought that comes to mind is creating some type of token based system where the token would be included in the src/uri of the script tag. I would also assume that the token would be time-limited because it would be fairly trivial to read it from the html and included on another website. If this were the case, I’m left with having to fetch a token from the parent by the child servers which would take some of the shine off not having to write a proxy. Although writing a token fetching procedure would not be that difficult, you would have to write a version for the various server technologies out there.

The second thought I have is to restrict access to the api based on http_referer on request of the document in the script tag, but I believe that http_referer is a) unreliable and b) easily spoofed.

I do not wish the end user to have to authenticate themselves (implying that they must create an account) prior to using a working child.

Is it possible to secure a json api in this scenario or am I just dreaming?

Yes that’s correct. The server needs to support JSON with callback. If it doesn’t, you can use the PHP proxy!

–dan

is this solution available *ONLY* if the server supports JSON output ?

If the server doesn’t support JSON output, using JSON it doesn’t make sense, and I can use PHP proxy, or server-side proxy. Is it right ?

sorry for english! :)

~Scotty