Re: [XHR2] new XMLHttpRequest(anon)

Hmm.. I have three concerns.

1. There's a risk of breaking existing content
2. I'd fairly strongly prefer to default to *not* sending credentials.
It's better that people by default get a simpler security model, and
if really needed, opt in to getting a more complex one. I wouldn't
want people to end up setting up the server to accepting requests with
credentials because they don't know about credential-less requests, or
because the back end developer is a stronger developer than the front
end developer and so the team ends up deciding to make the change
3. The new syntax is fairly unintuitive. I would prefer to use a
separate constructor, like AnonXMLHttpRequest.

For me 2 is the biggest problem, but 1 definitely is too.

/ Jonas

On Tue, Feb 16, 2010 at 8:52 AM, Anne van Kesteren <> wrote:
> On Tue, 16 Feb 2010 17:46:20 +0100, Jonas Sicking <> wrote:
>> On Tue, Feb 16, 2010 at 7:44 AM, Anne van Kesteren <>
>> wrote:
>>> A. Remove withCredentials. The use case for this feature is now rather
>>> small and I still think it is rather ugly.
>> How do you mean? How would the author indicate that credentials should
>> be included?
> They would always be included unless you do new XMLHttpRequest(true).
> --
> Anne van Kesteren

Received on Tuesday, 16 February 2010 18:54:20 UTC