So when exactly would cor come to play? Im thinking possibly if we authenticate using a service then allow user to update their own bungie.net account. Is this correct? Digressing: I'm building my own api for a different application. I was scratching my head as to how to auth my own key, and I find the x-api-key header a novel alternative. Is that standard? I believe anything with a X- prepend is custom; right? Personally I was looking at a key/datetime/passcode with md5 type coding passed in the request. Is the header approach better?

COR might probably never come out and play due the lack of interest, i was the first one who was interested. The header aproache is better for the authentication, you cannot modify the headers with a GET request. When you have the Cookies of a Signed In user and the API key of course, you can do the same stuff as you can do by hand. Send me a PM if you need some help

Hi, I'm also interested in Javascript access to the API. My biggest concern is that I'm creating a simple Pebble Watch app that pulls in guardian statistics, and since I don't have the resources for a dedicated proxy host to the API, I have no means of querying for a user's info due to the Cross-Origin restrictions. An example would be that I host a simple page on GitHub: http://phatsk.github.io/destiny_pebble/ The page will eventually get some style, if it ends up being usable, but currently I can't make the call to grab the user's profile info. This seriously hobbles my app, as I can only show certain information from things like the Advisors endpoint in the app. N.B. This would all be moot if I had a dedicated server that I could proxy the request through, but that's not currently feasible for me. I also think that there are a lot of developers out there who would get a great use out of being able to access the API via Ajax/CORS/JSONP whathaveyou. Thanks!