- From: Maciej Stachowiak <mjs@apple.com>
- Date: Tue, 16 Feb 2010 16:58:34 -0800
- To: Anne van Kesteren <annevk@opera.com>
- Cc: WebApps WG <public-webapps@w3.org>
On Feb 16, 2010, at 7:44 AM, Anne van Kesteren wrote: > I introduced a new constructor argument for XMLHttpRequest, named > anon. This is based on the earlier thread where I suggested that UMP > is not needed if we make this small enhancement to XMLHttpRequest. > > Basically, if the parameter is set to true, the "XMLHttpRequest > origin" is forced to be a unique identifier, setting a username and > password through open() will throw an INVALID_ACCESS_ERR, and > setting withCredentials will likewise throw an INVALID_ACCESS_ERR. > All the other desired properties follow automatically. (In fact, the > changes to open() would not have been needed.) Does it also force the credentials flag to false? I assume the combination of anon flag on and credentials flag on does not make sense. > > > Now we introduced this I wonder if implementors are willing to > consider to: > > A. Remove withCredentials. The use case for this feature is now > rather small and I still think it is rather ugly. withCredentials defaults to false. I think making it default to true is probably too risky given deployed implementations. If we remove it and leave it defaulting to false, then there would be no way to make a request with user credentials. > > B. Also throw an INVALID_ACCESS_ERR for username and password > arguments to open() when the URL provided is non same-origin. Now > they are just ignored, but it seems better to throw so people are > not confused why things are not working. No opinion on this either way. Regards, Maciej
Received on Wednesday, 17 February 2010 00:59:06 UTC