Re: [xhr2] AnonXMLHttpRequest() from Anne van Kesteren on 2010-05-11 (public-webapps@w3.org from April to June 2010)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 11 May 2010 09:40:35 +0200
To: "Mark S. Miller" <erights@google.com>
Cc: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.vci59xiu64w2qv@annevk-t60>

On Mon, 10 May 2010 19:13:26 +0200, Mark S. Miller <erights@google.com>  
wrote:
> On Mon, May 10, 2010 at 4:05 AM, Anne van Kesteren <annevk@opera.com>  
> wrote:
>>  http://dev.w3.org/2006/webapi/XMLHttpRequest-2/
>
> In section 3.7.7, you say "Issue: Waiting for EcmaScript". What is this
> issue? (Apologies if I have missed a previous discussion of this.)

A native representation of octet data in ECMAScript. (Also needed by  
WebGL, arguably the 2D context API of <canvas>, and elsewhere...)

> At <http://dev.w3.org/2006/webapi/XMLHttpRequest-2/#ref-ecmascript> you  
> cite
> "ECMAScript Language
> Specification<http://www.ecma-international.org/publications/standards/Ecma-262.htm>,
> Third Edition. ECMA, December 1999." The link in that citation correctly
> links to the current EcmaScript spec, the Fifth Edition, December 2009.  
> The text in the citation should be updated.

Done.

> You note twice "The Cross-Origin Resource Sharing specification [...] for
> non same-origin requests." Is it clear from this document that uniform
> requests to the requestor's origin qualify as "non same-origin requests"?

Yes, see what the open() algorithm says on XMLHttpRequest origin.

> Even if this is precisely stated somewhere, I think the terminology is
> confusing. Will readers readily understand that these cases apply to  
> uniform requests made to the requestor's origin?

Do you mean if people will understand that this applies for requests using  
AnonXMLHttpRequest() on a resource with origin A to another resource with  
origin A? I think it is pretty clear for implementors that such requests  
are cross-origin as the XMLHttpRequest origin will be a globally unique  
identifier. That is, it is stated in the same style as most of the other  
requirements are. Most of the draft is not really suited for authors at  
the moment. I'd like to have some more interoperability on XMLHttpRequest  
Level 1 before I add little green boxes as HTML5 has.

> Can one derive from this spec + CORS that a uniform request must not  
> reveal the response to the requestor without a  
> "Access-Control-Allow-Origin: *"
> header, even if the request is made to the requestor's origin? Perhaps
> clearing up the previous confusion will address this point as well.

This seems like the same question.

-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Tuesday, 11 May 2010 07:41:27 UTC