Re: Extension methods & XMLHttpRequest from David Morris on 2006-06-12 (ietf-http-wg@w3.org from April to June 2006)

From: David Morris <dwm@xpasc.com>
Date: Mon, 12 Jun 2006 10:32:50 -0700 (PDT)
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0606121006570.12767-100000@egate.xpasc.com>

My first paragraphs are in response to the broader thread and not
Julian's specific comment ...

I'm so tired of protocol designers believing that if they dictate that
the user somehow be forced to approve an action, that users can be then
faulted for their stupidity when accepting a risky choice.

Informed consent really means being informed. Being informed means that
sufficient information must be provided AND that the information is
understandable by the average user. Protocols must be designed with
sufficient information capability to satisfy this requirement.

On Mon, 12 Jun 2006, Julian Reschke wrote:

> I guess what it means is that a user agent should not send a POST
> request unless the user has clicked on a button (something that stands
> out from a regular link). That's also why allowing form.submit or
> XHR.send() from within a script running "onload" is problematic.

This is a specific case where the protocol design has ignored the
realities of application user interaction design. I have found
no alternatives to form.submit() within onload to achieving rich
and smooth applications.

Single domain restrictions, with clear definition of a domain and some
ability to over-ride the restriction.

a. The C++ notion of friend classes provides a decent paradigm for a
server to indicate partner domains. For example, merchant account and
credit card payments are often handled by a different domain.
b. Certain large web content providers have a pool of domain names which
can't satisfy any simple pattern match. google, yahoo, cnn, amazon are all
examples where their international servers may end up with local domain
names which need to intermingle with other local domains.
c. At the other end of the scale, small web providers are virtually hosted
on a shared server. Some aspects of the individual web sites may share
logic with the host.

Better to provide a clean way to handle common system issues than to
force creative hacks, false naming, etc. All of which lead to instability
and security issues.

Dave Morris

Received on Monday, 12 June 2006 17:33:01 UTC