RE: ISSUE-18: Is JSONRequest an acceptable alternative to the current model? [Access Control] from Close, Tyler J. on 2008-01-04 (public-appformats@w3.org from January 2008)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Fri, 4 Jan 2008 23:22:11 +0000
To: Anne van Kesteren <annevk@opera.com>
CC: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <C7B67062D31B9E459128006BAAD0DC3D144B3D66@G6W0269.americas.hpqcorp.net>

Anne van Kesteren wrote:
> Tyler Close wrote:
> > Similarly, the JSONRequest proposal only supports this
> functionality for
> > JSON. Both proposals can tunnel other Content-Types within their
> > supported Content-Type.
>
> You failed to reply to the XSLT and XBL remarks that the JSON
> thingie does not address.

I don't know the details of the XSLT and XBL requirements. I'm not proposing the "JSON thingie" as a replacement for the work this WG has done (that's clearly not going to happen). I'm just saying it's good work that provides a useful fallback position should the XMLHttpRequest extension encounter problems.

> > The two proposals have made opposite choices on fundamental design
> > decisions, such as: where policy is enforced, whether or
> not cookies are
> > sent, and whether or not interoperation with existing resources is
> > supported.
>
> We got feedback that sending cookies and authentication data is *very*
> important.

I only said the choices are different. I expect there are those who think sending this information is *very* important. I think it's dangerous, since you're not just allowing the host to send the request, but also send it under the user's credentials.

> > Any one of these choices could prove significant to adoption. For
> > example, some developers may require better support for other
> > Content-Types; whereas some organizations may be reticent to allow
> > installation of browsers that may interoperate with existing web
> > resources in unanticipated ways.
>
> The access control proposal does not interoperate with existing web
> content in unanticipated ways. The policy is *opt-in*.

In theory there's no difference between theory and practice. In practice there is. The XMLHttpRequest extension is vulnerable to much more devastating implementation errors than is the JSONRequest proposal. (I'm also not saying the XMLHttpRequest proposal works in theory, it still needs more review)

I just think this WG should encourage adoption of JSONRequest, in addition to whatever else it does. There's little cost and significant advantage.

--Tyler

Received on Friday, 4 January 2008 23:23:53 UTC