W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [XHR2] new XMLHttpRequest(anon)

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 16 Feb 2010 16:58:34 -0800
Cc: WebApps WG <public-webapps@w3.org>
Message-id: <300891F4-81AD-444A-BBE9-8FEDA5BADAED@apple.com>
To: Anne van Kesteren <annevk@opera.com>

On Feb 16, 2010, at 7:44 AM, Anne van Kesteren wrote:

> I introduced a new constructor argument for XMLHttpRequest, named  
> anon. This is based on the earlier thread where I suggested that UMP  
> is not needed if we make this small enhancement to XMLHttpRequest.
>
> Basically, if the parameter is set to true, the "XMLHttpRequest  
> origin" is forced to be a unique identifier, setting a username and  
> password through open() will throw an INVALID_ACCESS_ERR, and  
> setting withCredentials will likewise throw an INVALID_ACCESS_ERR.  
> All the other desired properties follow automatically. (In fact, the  
> changes to open() would not have been needed.)

Does it also force the credentials flag to false? I assume the  
combination of anon flag on and credentials flag on does not make sense.

>
>
> Now we introduced this I wonder if implementors are willing to  
> consider to:
>
> A. Remove withCredentials. The use case for this feature is now  
> rather small and I still think it is rather ugly.

withCredentials defaults to false. I think making it default to true  
is probably too risky given deployed implementations. If we remove it  
and leave it defaulting to false, then there would be no way to make a  
request with user credentials.

>
> B. Also throw an INVALID_ACCESS_ERR for username and password  
> arguments to open() when the URL provided is non same-origin. Now  
> they are just ignored, but it seems better to throw so people are  
> not confused why things are not working.

No opinion on this either way.

Regards,
Maciej
Received on Wednesday, 17 February 2010 00:59:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:37 GMT