Cross-Origin Resource Sharing (CORS)

The API supports Cross Origin Resource Sharing (CORS) for AJAX requests. You can read the CORS W3C working draft, or this intro from the HTML 5 Security Guide.

Here's a sample request sent from a browser hitting -H "Origin:"
Access-Control-Request-Header: X-Custom-Header

At present, all domains are currently accepted. OPTIONS preflight requests and their subsequent full requests respond with the following headers:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: X-Custom-Header

Note that in the near future, the allowed origins will be limited to those registered with us as third-party applications.