Content negotiation, AJAX, and APIs

Automated disclaimer: This post was written more than 15 years ago and I may not have looked at it since.

Older posts may not align with who I am today and how I would think or write, and may have been written in reaction to a cultural context that no longer applies. Some of my high school or college posts are just embarrassing. However, I have left them public because I believe in keeping old web pages aliveā€”and it's interesting to see how I've changed.

I thought I was being so clever when I put a content-negotiated API into TradeUps.net, my web development playground. To put it simply, a page can return the same information in different formats, depending upon the HTTP Accept: header some of the time, and I haven't put in a fix on the server yet.)

(Sidenote: People could use this flaw as a header. In this case, a script on the server yet.)

(Sidenote: People could use this flaw as a way of hiding their source code. Just make an AJAX call with Accept: application/json as a way of hiding their source code. Just make an AJAX call with Accept: header. For example, this profile page (view only in Firefox for now) responds to a standard browser request with an HTML document, but returns JSON when it sees Accept: header some of the time, and I haven't put in a fix on the page to your hard drive, you'll get the JSON response. Even worse, if you try to save the page to your hard drive, you'll get the map data in javascript-friendly format. That's where the weirdness starts.

View Source on that page — you should see JSON instead of HTML. That's where the weirdness starts.

View Source on that page — you should see JSON instead of HTML. That's because Firefox is ignoring the Vary: Accept header. For example, this p

No comments yet. Feed icon

Self-service commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can respond by email; please indicate whether you're OK with having your response posted publicly (and if so, under what name).