Login at Kodi Home

DoubleT · (This post was last modified: 2018-03-08, 15:23 by jjd-uk.)

hi all,

i see from having a nose through the dev forums that there are upcoming API changes for Leia.

Specifically:

Code:
A major change for Leia onwards is that JSON-RPC no longer accepts many of the commands via HTTP. This is a measure taken for improved security, but no doubt will inconvenience a number of JSON consumers. Although Kodi still accepts HTTP GET requests to JSON it limits all non-POST requests to ReadData permissions only

Im struggling to fully unpack what this means in practice.
Does it mean that by using POST instead of GET i can achieve what i've always been able to,
or
does it mean that regardless of POST / GET, HTTP commands will no longer be accepted for large amounts of requests?

Im thinking in the context of my office where we have more than 10 kodi endpoints which are controlled centrally via a webapp sending numerous http requests all day long.
We use mainly instructions to play, stop, create & play a playlist, play youtube / vimeo / addon content and HDMI-CEC control.

Sorry for being a bit dense on the explanation already given, but i've just downloaded an alpha of leia and our code isn't working any more.
Wondering if its a small re-write to our code or if this leia change means our project will only ever work with krypton.

Thanks in advance for any light you can shed.

**jjd-uk** · (This post was last modified: 2018-03-08, 14:28 by jjd-uk.)

I don't know very much at all about this area of Kodi, but since no one else has replied yet, I'll feedback on what I been led to believe is the situation.

If you want to use the JSON API for read commands then you can still use either GET or POST.

If you need to use the JSON API for an action, write command, or anything else that will modify the state of Kodi then you must use POST.

So HTTP commands will still be accepted however the type of request will determine whether GET can be use.

**da-anda** · (This post was last modified: 2018-03-08, 14:35 by da-anda.)

to quote Rechi from Slack:

Quote:everything marked with "permission": "ReadData" at https://github.com/xbmc/xbmc/blob/master...thods.json is available via GET. All other methods need POST

Background: any Website you visit from your browser could include a hidden iFrame calling the webinterface of Kodi on localhost and perform malicious actions without you noticing. This is why state changing requests and write requests require POST now (which now is also in line with the HTTP spec)

**jjd-uk** · 2018-03-08, 14:32

Just asked on our internal channel and I've been told you should look at https://github.com/xbmc/xbmc/blob/master...thods.json

Any method that has "permission": "ReadData" will still be possible via HTTP GET, everything else must be done by HTTP POST.

DoubleT · 2018-03-08, 14:36

Thanks for the clear explanation, much appreciated!

**jjd-uk** · (This post was last modified: 2018-03-08, 14:53 by jjd-uk.)

(2018-03-08, 14:36)DoubleT Wrote: Thanks for the clear explanation, much appreciated!

If you don't mind, I'd like to modify the subject title to something like "Leia v18 HTTP API changes" and then move this thread to the JSON dev forum in order to make it more discoverable in case anyone else has the same question.

DoubleT · 2018-03-08, 15:07

Fine by me, sure I'll have more questions as time goes on.