Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

Hi Kris,
All good points. I'm quite fond of XMLHttpRequest, also. My key points were
not that we should invent a new vendor-neutral API, but instead my key
point was that we should produce a unification approach acceptable to all
and therefore addresses all of the same security issues that have been
addressed in the various proposals (where the server has to opt-in before
potentially unsafe features are enabled) and moves domain-based allow/deny
enforcement from the client to the server.


             "Kris Zyp"                                                    
             >                                                          To 
             Sent by:                  "Jonas Sicking" <>, 
             public-appformats         Jon Ferraiolo/Menlo Park/IBM@IBMUS  
                                       "WAF WG \(public\)"                 
             05/15/08 08:39 PM                                     Subject 
                                       Re: [AC] URI canonicalization       
                                       problem with                        

> * Rename it to something suitably vendor-neutral (DataRequest)

I happen to be very fond of XMLHttpRequest, I have little bit of code that
already uses it, it would be nice to be able to reuse for cross-site
requests ;).
Seriously though, what is more vendor-neutral than XMLHttpRequest, every
browser implements it, if anything it is MS-ish, since they invented it.
Why does a cross-site mechanism need a new API? Claiming that a new API
somehow helps security is obviously without merit. The new API proposals
also have lossed some important functionality from XHR, most importantly
neither XDR nor JSONRequest have any mechanism for making synchronous
requests. asyns-sync is completely orthogonal to security, and why should
that capability be eliminated just because you are doing a cross-site
request? Synchronous requests are essential in code where you have to add a
request, but you can't change the API (asynchronous requests always require
adding a callback to the chain of callers). I know at Dojo we have
significant use cases for synchronous cross-site requests.

Another example: JSONRequest doesn't have any mechanism for progress
events/incremental loading. XDR did reinvent this with their onprogress
event. This is another feature that XHR already covers. We have also
discussed possible techniques for providing advice on long-lived
connections for pipelining issues. Will we have to rehash those discussions
for another API?

AC definitely made the right decision in not reinventing the JS HTTP API,


Received on Friday, 16 May 2008 15:29:38 UTC