[Developers] example mqlwrite using javascript
Alec Flett
alecf at metaweb.com
Fri Mar 20 00:15:59 UTC 2009
Short answer: you can't do it from pages not on freebase.com
Long answer:
Writes are done http POST - but freebase.com actually restricts POSTs
to those containing the header "X-Metaweb-Request" The trick there is
that the only way to alter headers in a request is to use
XMLHttpRequest, and you can't make XMLHttpRequest calls across domain
names.
This is one of those unfortunate aspects of the overall browser /
domain security architecture. If we didn't require that header, then
any arbitrary, malicious web page could do a form POST and it would be
done as whoever is logged in... i.e. I could say
<html onload="forms[0].submit()">
<form name="foo" method="POST" target="http://www.freebase.com/api/service/mqlwrite
">
<input type="hidden" name="queries" value="{"query": {"id": "/en/
david_bowie", "name": {"value": "Bowie Sucks", "connect": "update",
"lang": "/lang/en"}">
</form>
Welcome, naive user, I just defaced freebase.com on your behalf!
</html>
Because of the header restriction, this will fail if you try this today.
Alec
On Mar 18, 2009, at 12:41 PM, Jack Alves wrote:
> Can anyone point me to a javascript example of a mqlwrite. I'm doing
> reads with the following jquery call. I can't figure out what to do
> for writes.
>
> $.ajax({
> url: 'http://www.freebase.com/api/service/mqlread',
> dataType: "jsonp",
> cache: true,
> success: mqlread_cb,
> data: { queries: query }
> });
>
> thanks
>
> jack
> _______________________________________________
> Developers mailing list
> Developers at freebase.com
> http://lists.freebase.com/mailman/listinfo/developers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freebase.com/pipermail/developers/attachments/20090319/92abad82/attachment.htm
More information about the Developers
mailing list