W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: IE Team's Proposal for Cross Site Requests

From: Henri Sivonen <hsivonen@iki.fi>
Date: Sat, 10 May 2008 12:53:47 +0300
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "public-webapi@w3.org" <public-webapi@w3.org>
Message-Id: <4D6DE992-5E7C-49A2-83F4-CE45B76C1832@iki.fi>
To: Chris Wilson <chris.wilson@microsoft.com>

(Quotes reordered.)
On May 10, 2008, at 01:46 , Chris Wilson wrote:

>> * Chris Wilson wrote:
>>> Even according to the designer of Access Control,  the feature was
>>> designed for non browser applications, and the idea of enabling AC  
>>> for
>>> the browser platform by applying Access Control to XHR “came as an
>>> afterthought.” [7].
>>> [7] http://lists.w3.org/Archives/Public/public-webapi/2008Mar/0154.html
>> Henri is talking about his validator.nu site, not about "Access  
>> Control"
>> (neither is he "the designer of Access Control").

> Right you are, on both points.  My apologies.

Moreover, the way my message was quoted misses the point of my  
message. The point is this:

I designed RESTful Web service APIs according to best practice with  
knowledge that the APIs would be called by untrusted HTTP clients out  
there. Those HTTP clients could be of any kind from my point of view-- 
currently browsers just refuse.

With access-control, I was able to add a policy that will make  
browsers not refuse in one place without changing my RESTful API  
design and without changing the way a client script programmer sees  
the API.

All three competing proposals (XDR, JSONRequest and postMessage 
+iframe) would require me to add a new API design alongside the ones I  
already have and tailor it to the whims of the competing proposal.

Henri Sivonen
Received on Saturday, 10 May 2008 09:54:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:26 UTC