- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 16 Feb 2010 10:53:22 -0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: WebApps WG <public-webapps@w3.org>
Hmm.. I have three concerns. 1. There's a risk of breaking existing content 2. I'd fairly strongly prefer to default to *not* sending credentials. It's better that people by default get a simpler security model, and if really needed, opt in to getting a more complex one. I wouldn't want people to end up setting up the server to accepting requests with credentials because they don't know about credential-less requests, or because the back end developer is a stronger developer than the front end developer and so the team ends up deciding to make the change there. 3. The new syntax is fairly unintuitive. I would prefer to use a separate constructor, like AnonXMLHttpRequest. For me 2 is the biggest problem, but 1 definitely is too. / Jonas On Tue, Feb 16, 2010 at 8:52 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Tue, 16 Feb 2010 17:46:20 +0100, Jonas Sicking <jonas@sicking.cc> wrote: >> >> On Tue, Feb 16, 2010 at 7:44 AM, Anne van Kesteren <annevk@opera.com> >> wrote: >>> >>> A. Remove withCredentials. The use case for this feature is now rather >>> small and I still think it is rather ugly. >> >> How do you mean? How would the author indicate that credentials should >> be included? > > They would always be included unless you do new XMLHttpRequest(true). > > > -- > Anne van Kesteren > http://annevankesteren.nl/ >
Received on Tuesday, 16 February 2010 18:54:20 UTC