Re: [XHR2] new XMLHttpRequest(anon)

Hmm.. I have three concerns.

1. There's a risk of breaking existing content
2. I'd fairly strongly prefer to default to *not* sending credentials.
It's better that people by default get a simpler security model, and
if really needed, opt in to getting a more complex one. I wouldn't
want people to end up setting up the server to accepting requests with
credentials because they don't know about credential-less requests, or
because the back end developer is a stronger developer than the front
end developer and so the team ends up deciding to make the change
there.
3. The new syntax is fairly unintuitive. I would prefer to use a
separate constructor, like AnonXMLHttpRequest.

For me 2 is the biggest problem, but 1 definitely is too.

/ Jonas

On Tue, Feb 16, 2010 at 8:52 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 16 Feb 2010 17:46:20 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> On Tue, Feb 16, 2010 at 7:44 AM, Anne van Kesteren <annevk@opera.com>
>> wrote:
>>>
>>> A. Remove withCredentials. The use case for this feature is now rather
>>> small and I still think it is rather ugly.
>>
>> How do you mean? How would the author indicate that credentials should
>> be included?
>
> They would always be included unless you do new XMLHttpRequest(true).
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>

Received on Tuesday, 16 February 2010 18:54:20 UTC