- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sat, 21 Nov 2009 00:39:07 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
On Fri, Nov 20, 2009 at 5:04 PM, Tyler Close <tyler.close@gmail.com> wrote: > MarkM and I have produced a draft specification for the GuestXHR > functionality we've been advocating. The W3C style specification > document is attached. We look forward to any feedback on it. > > We agree with others that "GuestXHR" was not a good name and so have > named the proposal "Uniform Messaging" for reasons elaborated in the > specification. > > To parallel the CORS separation of policy from API, this first > document is the policy specification with an XMLHttpRequest-like API > yet to follow. I've only had time for a quick scan, but this looks like a very good proposal. Is there a reason why a full XMLHttpRequest API couldn't be used? I guess in its most simple incarnation things like setRequestHeader and .withCredentials would be removed. However technically speaking even setRequestHeader as well as arbitrary HTTP methods could be allowed if preflight requests were used. They would of course not contain any origin or referrer information. At a first glance this wouldn't expose any of the CSRF problems you are trying to avoid. (Granted, it's 12:30am and I've had a long day :) ). Or would you rather wait with that until later? / Jonas
Received on Saturday, 21 November 2009 08:40:06 UTC