I thought I was being so clever when I put a content-negotiated API into TradeUps.net, my web development playground. To put it simply, a page can return the same information in different formats, depending upon the HTTP
Accept: header. For example, this profile page (view only in Firefox for now) responds to a standard browser request with an HTML document, but returns JSON when it sees
Accept: application/json as a header. In this case, a script on the page calls the same URL (
View Source on that page — you should see JSON instead of HTML. That's because Firefox is ignoring the
Vary: Accept response header and overwriting the page cache with the JSON response. Even worse, if you try to save the page to your hard drive, you'll get the JSON there as well. (I have yet to see what IE does because IE7 sends a strange
Accept header some of the time, and I haven't put in a fix on the server yet.)
(Sidenote: People could use this flaw as a way of hiding their source code. Just make an AJAX call with
I really want to use content negotiation for my API, but this behavior is a potential blocker. Any ideas?