- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 17 Feb 2010 09:24:56 +0100
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WebApps WG" <public-webapps@w3.org>
On Tue, 16 Feb 2010 19:53:22 +0100, Jonas Sicking <jonas@sicking.cc> wrote: > Hmm.. I have three concerns. > > 1. There's a risk of breaking existing content > 2. I'd fairly strongly prefer to default to *not* sending credentials. You get that if you use the new constructor. > It's better that people by default get a simpler security model, and > if really needed, opt in to getting a more complex one. I wouldn't > want people to end up setting up the server to accepting requests with > credentials because they don't know about credential-less requests, or > because the back end developer is a stronger developer than the front > end developer and so the team ends up deciding to make the change > there. I don't really get the latter justification. The back end can always ignore the credentials. > 3. The new syntax is fairly unintuitive. I would prefer to use a > separate constructor, like AnonXMLHttpRequest. Given the limited new functionality I thought it would be best to not further clutter the global object. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 17 February 2010 08:25:29 UTC