Comment 9 for bug 385517

OOI, why does the webapp require its own "private" API root? Is it just because browsers will only let you connect back to the originating domain, or is there anything deeper involved?

Is there any need to guard it against non-webapp access? Certainly it looks useful to me to allow people learning the basics of the API to pull up anonymous-read-only JSON documents in their web browser for inspection.