It seems that when a content with a binary attribute is accessed, the rest api responds giving the url pointing to var/storage/etc...

This is wrong as:

• default rewrite rules forbid access to that folder
• giving end users access to that folder violates fully the policy system
• it forces the user of the API to build by hand a "proper" url to content/download/xxx/yyy...
• ...which uses a different auth system anyway

Proper solution: extend the rest api with content/binary/etc...