- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 11 May 2010 09:40:35 +0200
- To: "Mark S. Miller" <erights@google.com>
- Cc: "WebApps WG" <public-webapps@w3.org>
On Mon, 10 May 2010 19:13:26 +0200, Mark S. Miller <erights@google.com> wrote: > On Mon, May 10, 2010 at 4:05 AM, Anne van Kesteren <annevk@opera.com> > wrote: >> http://dev.w3.org/2006/webapi/XMLHttpRequest-2/ > > In section 3.7.7, you say "Issue: Waiting for EcmaScript". What is this > issue? (Apologies if I have missed a previous discussion of this.) A native representation of octet data in ECMAScript. (Also needed by WebGL, arguably the 2D context API of <canvas>, and elsewhere...) > At <http://dev.w3.org/2006/webapi/XMLHttpRequest-2/#ref-ecmascript> you > cite > "ECMAScript Language > Specification<http://www.ecma-international.org/publications/standards/Ecma-262.htm>, > Third Edition. ECMA, December 1999." The link in that citation correctly > links to the current EcmaScript spec, the Fifth Edition, December 2009. > The text in the citation should be updated. Done. > You note twice "The Cross-Origin Resource Sharing specification [...] for > non same-origin requests." Is it clear from this document that uniform > requests to the requestor's origin qualify as "non same-origin requests"? Yes, see what the open() algorithm says on XMLHttpRequest origin. > Even if this is precisely stated somewhere, I think the terminology is > confusing. Will readers readily understand that these cases apply to > uniform requests made to the requestor's origin? Do you mean if people will understand that this applies for requests using AnonXMLHttpRequest() on a resource with origin A to another resource with origin A? I think it is pretty clear for implementors that such requests are cross-origin as the XMLHttpRequest origin will be a globally unique identifier. That is, it is stated in the same style as most of the other requirements are. Most of the draft is not really suited for authors at the moment. I'd like to have some more interoperability on XMLHttpRequest Level 1 before I add little green boxes as HTML5 has. > Can one derive from this spec + CORS that a uniform request must not > reveal the response to the requestor without a > "Access-Control-Allow-Origin: *" > header, even if the request is made to the requestor's origin? Perhaps > clearing up the previous confusion will address this point as well. This seems like the same question. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 11 May 2010 07:41:27 UTC