ASANA API and Access-Control-* headers

Question

I am writing some code to call the Asana API from the browser. XDR requests emitted from the browsers all begin with a call to OPTIONS to get the Access-Control-* headers, but Asana server does not seem to response to them:

Request URL:https://app.asana.com/api/1.0/users?opt_pretty=true&opt_fields=name,email
Request Method:OPTIONS
Status Code:404 Object Not Found
Request Headers:
  Accept:*/*
  Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
  Accept-Encoding:gzip,deflate,sdch
  Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
  Access-Control-Request-Headers:origin, authorization, accept
  Access-Control-Request-Method:GET
  Connection:keep-alive
  Host:app.asana.com
  Origin:null
  User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1129.0 Safari/536.11

Query String Parameters:
  opt_pretty:true
  opt_fields:name,email

Response Headers:
  Content-Length:82
  Content-Type:application/json
  Date:Sat, 12 May 2012 22:23:19 GMT
  Server:nginx/0.7.67
  ...

Response headers should contain something like:

Access-Control-Allow-Headers: Accept, Authorization, Content-Type
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Origin: *

Or is there anything that I am missing when requesting the API?

Answer 1

(I work at Asana)

The Asana API does not return these headers right now because it does not support OAuth and cannot securely authenticate requests from clients. It is only secure to return these headers for an authenticated client, otherwise the service would be open to cross-site scripting attacks. OAuth is on the list of features to be supported in the future.