[timfletcher]

The problem with webapps using a BAAS intended for mobile apps is the same origin policy. I've yet to find any providers that support Cross-Origin Resource Sharing. This restriction doesn't apply to mobile apps (or Chrome extensions)

[kainosnoema]

OAuth 2 + JSONP might be a good solution to the cross-origin issue.

The primary client for an API I'm currently working on is an iOS app, so for the web version of the client, it just made sense to build on top of the same OAuth-authenticated API. Instead of traditional sessions, we store the access token in a cookie and sign each authenticated request just as you would any third-party API.

[davewasmer]

If it were to operate as simply a REST API, then the service could simply return everything via JSONP to avoid the CORS trap.

[timfletcher]

JSONP only works for GET requests. It's not 'proper' AJAX. You wouldn't be able to POST, PUT or DELETE.

[mmahemoff]

JSONP should only be used for public web services. otherwise, any third party website could make privileged calls.

The BaaS architecture is actually a perfect situation for making privileged calls with CORS, because the server is wholly responsible for the user's identity and permissions.

[dyoder]

We use CORS at spire.io.