- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Sat, 10 May 2008 12:53:47 +0300
- To: Chris Wilson <chris.wilson@microsoft.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "public-webapi@w3.org" <public-webapi@w3.org>
(Quotes reordered.) On May 10, 2008, at 01:46 , Chris Wilson wrote: > >> * Chris Wilson wrote: >>> Even according to the designer of Access Control, the feature was >>> designed for non browser applications, and the idea of enabling AC >>> for >>> the browser platform by applying Access Control to XHR “came as an >>> afterthought.” [7]. >> >>> [7] http://lists.w3.org/Archives/Public/public-webapi/2008Mar/0154.html >> >> Henri is talking about his validator.nu site, not about "Access >> Control" >> (neither is he "the designer of Access Control"). > Right you are, on both points. My apologies. Moreover, the way my message was quoted misses the point of my message. The point is this: I designed RESTful Web service APIs according to best practice with knowledge that the APIs would be called by untrusted HTTP clients out there. Those HTTP clients could be of any kind from my point of view-- currently browsers just refuse. With access-control, I was able to add a policy that will make browsers not refuse in one place without changing my RESTful API design and without changing the way a client script programmer sees the API. All three competing proposals (XDR, JSONRequest and postMessage +iframe) would require me to add a new API design alongside the ones I already have and tailor it to the whims of the competing proposal. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Saturday, 10 May 2008 09:54:27 UTC