I need to call a (HTTP) REST API as as POST call – basically, it allows me to post a message to a forum/community.
Since, there is currently no way of authenticating over the API, I need to depend on browser cookies. ie, have the user logged in to the community and then use the API calls. This means, server proxies are ruled out.
And because its a POST call, JSONP is also ruled out, even if it were supported by the API’s server.
So this POST call needs to be 100% javascript.
This JS will end up being part of a Webpart in Sharepoint so I don’t really want to complicate it with iframes.
Well?
The only way to do a cross-domain POST is to script a form:
You won’t be able to read the response in the iframe due to the Same Origin Policy, but the POST will be made.
Any forum that knows what it’s doing will reject this request. Otherwise, anyone who visited a third-party site could be made to automatically post to the forum against their will. This is known as cross-site request forgery (XSRF) and is a perennial web security problem. Most forum administrators would consider the above code hostile.
Secure forums use an ‘anti-XSRF’ per-action token to prevent the above, essentially requiring that postings be made from the form on the site itself and not from a third-party site. Since you can’t read the document included cross-domain, you can’t pinch the token so can’t authorise a post.