can we post/put/delete using jsonp in asp.net webapi?

Using asp.net webApi

I've site1 (http://localhost:53723) and site2 (http://localhost:64009).
I want to fetch data from site2 to site1 (Cross domain, not same origin).

We can use jsonp for this, and I've achieved data.

Can we use jsonp to post/put/delete verb for cross domain (not same origin)?

Re: can we post/put/delete using jsonp in asp.net webapi?

JSONP was a hack to get around the same-origin issue and it's used to get data. Under the covers it's using a <script> tag to make the HTTP request, so it's only using GET and thus those types of HTTP requests should not perform database updates, inserts or deletes.

Re: can we post/put/delete using jsonp in asp.net webapi?

Thanks BrockAllen,

That means we can only fetch using jsonp in cross-domain.

Then my next question is related to asp.net webapi:
I want to make one source for all information (webapi) and use multiple platform to use it (website, mobile app, desktop app, etc)

This'll be cross-domain because i'll keep my webapi as one site and others platform in different site/app store/pc/mac.
So fetching from cross-domain is no issue, but what if i need post/put/delete action?

The answer for this might be use proxy (HttpClient in this case)?
If i'm using proxy then why to invent webapi, we can do the same with WCF Restful service.

Just trying to understand why asp.net webapi?

Re: can we post/put/delete using jsonp in asp.net webapi?

Cors is another the option.

Re: can we post/put/delete using jsonp in asp.net webapi?

CORS isn't really an option for people who want to support IE.

IE has its own implementation, but it does NOT support delete/put. It only is GET/POST.

What I've done (which sucks) is create the GET/POST/DELETE/PUSH verbs like normal, then have another service that posts to the same URLs but prefix the url with get/post/delete/push and build up the request and forward it to the real verb.

ie: POST www.example.com/post/fruit/apple?name=something&whatever=foo&also=bar

Re: can we post/put/delete using jsonp in asp.net webapi?

X-HTTP-Method-Override is another option.

http://www.matlus.com/delegatinghandler-for-x-http-method-override/

Re: can we post/put/delete using jsonp in asp.net webapi?

What exactly are you talking about in reference too? You can't do headers in JSONP.

Re: can we post/put/delete using jsonp in asp.net webapi?

digitalpacman
What exactly are you talking about in reference too?

I am talking about CORs man.

Re: can we post/put/delete using jsonp in asp.net webapi?

Ahhh! Good stuff. I might actually implement that where I work as well. This is for the IE problems with "CORS", yes?

Re: can we post/put/delete using jsonp in asp.net webapi?

Thanks Imran,

Was looking @ the article you provided (http://blogs.msdn.com/b/carlosfigueira/archive/2012/02/20/implementing-cors-support-in-asp-net-web-apis.aspx), have following question.

We allow to response back with any request with 'origin' in header. Then how safety in place? Anyone call this and make attempt of CSRF.
Do we need to filter 'origin' in server side?

Please advice!

Re: can we post/put/delete using jsonp in asp.net webapi?

To stop people from sending users directly to your API to do actions, you can do HMAC.

HMAC will encrypt the transport with a private key, pass a public key, and the server will know what the users private key is and do the same encryption (normally you find the private key using the public key) and check to verify the response is the same.
Then ontop of that, you can accept SSL only and send the datetime (suggested) in the header, and deny all responses that are 5 seconds old. This will stop people from copying requests and sending them multiple times (via packet sniffing).

Re: can we post/put/delete using jsonp in asp.net webapi?

Make sense, means needs to take care on server side.
Thanks a lot @digi & @imran.

At the conclusion:
Only for Get verb: We can use JSONP
for all verbs (Get, Post, Put, Delete): We can use CORS
One should be concerned about security also who can call your webapi service.