License Validation API: Access-Control-Allow-Origin: *

[vbresults]

If I'm not mistaken, he's using the client-side request to essentially perform validation so that he doesn't waste a server API call for an invalid request. Once the client performs a (presumably) valid request, he tests it on the server side.

Exactly.

Maybe it would reduce the complexity involved if invalid requests didn't count towards the limit (or had a separate limit), instead of adding JSONP support and performing client-side validation at all.

It's so easy to add JSONP support, 4 lines of code; creating a separate limit etc would make things complex.

$callback = isset($_GET['callback']) && !empty ($_GET['callback']) ? $_GET['callback'] : "";

header("Access-Control-Allow-Origin: *");
header(sprintf("Content-Type: application/%s", !$callback ? "json" : "javascript"));

printf(!$callback ? '%1$s' : '%2$s(%1$s);', json_encode($response, JSON_PRETTY_PRINT), $callback);