LISTSERV 16.5 - CODE4LIB Archives

Some of OCLC's APIs do support JSONP or CORS: for example
QuestionPoint API, the xIdentifier and MapFAST services. However,
other services do not provide this support. This is because for these
services we need to carefully ensure that the application making the
request is actually owned by the institution/user to which the key has
been issued. If we don't do this then there are several consequences

1. We aren't able to clearly distinguish who is using a given service.
This fundamentally makes it more difficult for us to keep statistics
and evaluate the value of our services to the OCLC membership.
2. Users/Institutions not eligible to use particular services are able
to access those services.
3. Other users/institutions may be able to see data which is private
and specific to a particular institution

We know that developers want to use our APIs in Javascripts. As a
result we're working really hard on potential solutions that would
allow us to both provide this type of access and ensure that the
application making the request of the API is coming from an
appropriate authorized institution/user.

If anyone has further questions, they are welcome to email me directly.

Karen

Karen Coombs
Product Manager
OCLC Developer Network
[log in to unmask]


On Mon, Oct 3, 2011 at 8:21 AM, Ed Summers <[log in to unmask]> wrote:
> On Wed, Sep 28, 2011 at 5:36 PM, Godmar Back <[log in to unmask]> wrote:
>> Closer to the code4lib community: OCLC and Serials Solutions don't support
>> JSONP in their webservices, either, even though doing so would allow cool
>> services and would likely not affect their business models adversely in a
>> significant way, IMO. We should keep lobbying them to remove these
>> restrictions, as I've been doing for a while.
>
> I agree. I'm not sure how pervasive it is at OCLC, but their MapFast
> Service supports Cross Origin Resource Sharing (CORS) [1,2], which
> means that JSONP isn't needed for modern browsers. Basically it's just
> adding the following header to the JSON response:
>
>    Access-Control-Allow-Origin: *
>
> Something to think about when creating a web service for others, at any rate.
>
> [1] http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing
> [2] http://inkdroid.org/journal/2011/02/09/oclcs-mapfast-and-cors/
>