- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 7 Apr 2009 18:52:33 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps@w3.org
On Tue, Apr 7, 2009 at 5:55 PM, Tyler Close <tyler.close@gmail.com> wrote: >> You are proposing a model where there's two types of XHR objects. One >> where we specifically tell users that you can rely on the request >> won't be sent cross site, and one where you can't. > > I'm proposing that we leave the existing security model in place and > provide a switch that applications must flip in order to swap in the > new security model. I've proposed a design where flipping this switch > requires minimal changes to existing application code. There's nothing > radical about this proposal, it's just the way things are done when > you're being careful. I maintain that we are talking about very small differences. I'm still not convinced that the problem you are trying to solve is a problem large enough to need solving. But I also don't think that the solution that you are proposing is a huge burden on authors on UA implementors. In other words, I think both the benefit and the cost of your solution is small but non-zero. However, the cost does seem to me that it's bigger than the benefit. The biggest cost being a cluttering of the web platform API. This is the same reason that I've been arguing against the XDomainRequest API that microsoft is introducing in IE. It largely works the same as XMLHttpRequest, but it is a different API from it. / Jonas
Received on Wednesday, 8 April 2009 01:53:23 UTC