Comments

5 comments

  • alf
    The response is inaccurate - sending a cross-domain request does not expose a user's cookies any more than having an image from orcid.org embedded on another page does. A cross-domain response to a request that contains cookies (which are only included when the XMLHttpRequest "withCredentials" property is set to true) is not readable unless the response headers include "Access-Control-Allow-Credentials: true". Adding the "Access-Control-Allow-Origin: *" header to responses will not expose any of the user's private information, unless "Access-Control-Allow-Credentials: true" is also set. JSONP, on the other hand, does decrease security, as it encourages the use of third-party scripts on web pages which might otherwise be secure. If there really is a concern about cookie security, then the API should be hosted on a different domain from the main orcid.org site, so that no cookies are sent when accessing the API.
  • alf
    I think this response is incorrect, as adding "Access-Control-Allow-Origin: *" would not expose a user's cookies or private data. On the other hand, the use of JSONP encourages sites to embed third-party Javascript, which could actually be a security risk. If there really is a concern about cookies being sniffed while passed over the network, running the API over HTTPS and/or on a different domain from the main orcid.org site would be useful approaches. This is still a valid request, that is essential for use of the ORCID API in client-side environments.
  • Alexander Dutton
    I'm concurring with alf; Access-Control-Allow-Origin does not expose cookies; see https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Requests_with_credentials for more information. We're using CORS to provide an OAuth2-enabled API to JavaScript-based clients quite happily.
  • alf
    It looks like responses from the public API now include the "Access-Control-Allow-Origin: *" header, so this suggestion can be marked as "Implemented" :-)
  • Ana Cardoso

    Hi alf,

    Thanks for catching this, we sometimes miss updating iDea when new features are released. You are correctly that "Access-Control-Allow-Origin:*" is now implements for the ORCID API.

    Best,
    -Catalina
    ORCID Support

Please sign in to leave a comment.