[xhr2] AnonXMLHttpRequest()

After considering the various names for constructing an XMLHttpRequest  
object that when fetching would not expose the origin and user credentials  
I decided to go with AnonXMLHttpRequest(). It was already in the draft as  
a boolean argument for the constructor, but feedback from Maciej indicated  
that it was not good enough[1]. I also aligned the definition of user  
credentials with that of CORS:


Mark Miller has argued that AnonXMLHttpRequest might be misleading, but  
 from talking with Web developers -- asking them what they thought the  
effect on the request would be -- it seems that from

  * UniformXMLHttpRequest
  * AnonXMLHttpRequest
  * GuestXMLHttpRequest
  * NoContextXMLHttpRequest

AnonXMLHttpRequest was the most well understood. I do not think anybody  
will be confused that you can still include some kind of identifying token  
in the entity body or a request header and that the browser will not  
magically filter it out.

Mark Miller and Tab Atkins both argued against re-using XMLHttpRequest  
because it was not limited to XML and because it could also be used for  
HTTPS. The latter of those arguments is actually wrong. HTTPS is not a  
different protocol from HTTP, it is just a different URL scheme. (To be  
fair, browsers typically allow using XMLHttpRequest on the local file  

Even so, XMLHttpRequest is the way to do requests from JavaScript and the  
new constructor will expose an object that is identical to it. In fact, it  
inherits from it and shares the prototype chain. So I decided it was a)  
better to follow convention for interfaces that inherit and b) that since  
it is very similar in nature it should be similar in name, even though the  
name is not technically sound for historical reasons.


Anne van Kesteren

Received on Monday, 10 May 2010 11:06:17 UTC