Re: UMP / CORS: Implementor Interest

Consolidating replies a bit...

On Apr 22, 2010, at 11:29 AM, Dirk Pranke wrote:

> Here's some new directions ...
> ContextFreeRequest
> StatelessRequest
> SessionlessRequest

All HTTP requests are stateless, and sessionless could mean many  
things, so I'm not keen on those. ContextFree is a good suggestion.

> or, since we're really talking about cookies here ...
> CookielessRequest
> CookieFreeRequest
> SugarFreeRequest
> IncognitoRequest    (playing off of Chrome's "Incognito" mode, which
> doesn't use your browser's normal cookie store)

Cookies are not the only issue. Another key difference is not sending  
headers that identify the site making the request (e.g. Origin or  
Referer). Secondary issues are other forms of client authentication  
such as HTTP authentication and SSL client certificates. Those are not  
very commonly used on public Web sites, but they need to be excluded  
for the proposed API to be secure.

On Apr 22, 2010, at 11:37 AM, Tab Atkins Jr. wrote:

> Count me as one web developer who won't miss the annoying and
> inaccurate "XH" from any future "R"s.  I think that dropping them now
> won't be very confusing (the Request part has always been the
> meaningful one for me), and it then opens the door for future types of
> Requests to just share in the Request name, not the full baggage-laden
> XHR name.

If we do drop the "XH" that gives us the freedom to be a little more  
verbose in the rest of the name, if we so choose.


Received on Thursday, 22 April 2010 18:50:38 UTC