使用PHP作为服务器和jQuery作为客户端来创建一个宁静的API

Question

I'm trying to create a Javascript client API service which calls the API of my site. This will be cross domain and i'm aware of the problems this causes. However, I need the user to send through some user credentials (whether that be their username and password encoded obviously or an API key + secret) so that I can return user specific details.

I initially looked at using the jsonp datatype however this doesnt allow you to set any custom headers so ruled this out.

I've been searching the web for a while and been unable to find a secure way of doing this cross domain, has anyone had any success with this and can give me some advice?

UPDATE:

I've tried this following code as suggested by lu1s, however I get an alert of 'boo' as stated n the error function..

$.ajax({
    url: 'http://www.dotsandboxes.co.cc/__tests/cors.php',
    type: 'GET',
    dataType: 'json',
    success: function() { alert('hello!'); },
    error: function() { alert('boo!'); },
    beforeSend: function (xhr) {
        xhr.setRequestHeader('securityCode', 'Foo');
        xhr.setRequestHeader('passkey', 'Bar');
    }
});

Thanks

Answer 1

You can. Try adding the Allow-Access-Control-Origin: * to your HTTP response headers, as well as the correct content-type.

Try with a simple PHP script like this:

<?php
    header('Access-Control-Allow-Origin: *');
    header('Content-type: text/json');
    echo json_encode(array('success'=>true,'data'=>'foobar'));
?>

Check this site to read more info about cross-origin: http://enable-cors.org/

About the authentication, it's NOT recommended to send usernames or passwords, even if they're encrypted. As you stated, it's better to pass a token in the URL. Best if following standards like http://oauth.net/2/ .