W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] new XMLHttpRequest(anon)

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 16 Feb 2010 10:53:22 -0800
Message-ID: <63df84f1002161053v306470dagd0b28a06fd6fa90f@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: WebApps WG <public-webapps@w3.org>
Hmm.. I have three concerns.

1. There's a risk of breaking existing content
2. I'd fairly strongly prefer to default to *not* sending credentials.
It's better that people by default get a simpler security model, and
if really needed, opt in to getting a more complex one. I wouldn't
want people to end up setting up the server to accepting requests with
credentials because they don't know about credential-less requests, or
because the back end developer is a stronger developer than the front
end developer and so the team ends up deciding to make the change
there.
3. The new syntax is fairly unintuitive. I would prefer to use a
separate constructor, like AnonXMLHttpRequest.

For me 2 is the biggest problem, but 1 definitely is too.

/ Jonas

On Tue, Feb 16, 2010 at 8:52 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 16 Feb 2010 17:46:20 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> On Tue, Feb 16, 2010 at 7:44 AM, Anne van Kesteren <annevk@opera.com>
>> wrote:
>>>
>>> A. Remove withCredentials. The use case for this feature is now rather
>>> small and I still think it is rather ugly.
>>
>> How do you mean? How would the author indicate that credentials should
>> be included?
>
> They would always be included unless you do new XMLHttpRequest(true).
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
Received on Tuesday, 16 February 2010 18:54:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:37 GMT