Brain on Fire » Blog feed Tim McCormack says words

Content negotiation, AJAX, and APIs

Automated disclaimer: This post was written more than 15 years ago and I may not have looked at it since.

Older posts may not align with who I am today and how I would think or write, and may have been written in reaction to a cultural context that no longer applies. Some of my high school or college posts are just embarrassing. However, I have left them public because I believe in keeping old web pages aliveā€”and it's interesting to see how I've changed.

I thought I was being so clever when I put a content-negotiated API into TradeUps.net, my web development playground. To put it simply, a page can return the same information in different formats, depending upon the HTTP Accept: header. For example, this profile page (view only in Firefox for now) responds to a standard browser request with an HTML document, but returns JSON when it sees Accept: application/json as a header. In this case, a script on the page calls the same URL (/user/admin) again to get the map data in javascript-friendly format. That's where the weirdness starts.

View Source on that page — you should see JSON instead of HTML. That's because Firefox is ignoring the Vary: Accept response header and overwriting the page cache with the JSON response. Even worse, if you try to save the page to your hard drive, you'll get the JSON there as well. (I have yet to see what IE does because IE7 sends a strange Accept header some of the time, and I haven't put in a fix on the server yet.)

(Sidenote: People could use this flaw as a way of hiding their source code. Just make an AJAX call with Accept: null/void and return an empty response. This won't protect the source if javascript is disabled or if the source is accessed through the DOM, but it will prevent casual inspection.)

I really want to use content negotiation for my API, but this behavior is a potential blocker. Any ideas?

Responses: 2 so far Feed icon

  1. #16864 | Thursday, October 18th, 2007 at 03:11 (EDT)

    dret says:

    when i do a "view source" in firefox, the /user/admin page works fine (i use firefox 2.0.0.7 on windows), i do see html. apart from the weirdness, were there any functional problems with your approach? i think using content negotiation for deciding between representations is the way to go (even though i was thinking about xml vs. json), so i was googling for it and found your report...

  2. #17717 | Thursday, November 15th, 2007 at 19:17 (EST)

    Tim McCormack says:

    That's the only problem I had. It's super annoying when I try to use certain web development tools, though.

Self-service commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can respond by email; please indicate whether you're OK with having your response posted publicly (and if so, under what name).