- From: Doron Rosenberg <doronr@gmail.com>
- Date: Thu, 10 Mar 2005 10:18:16 -0600
Well, the code in Mozilla is well tested and already used in the wild. The benefit of the extra request is that we don't fetch any data unless we are allowed to. In your model, we would fetch the XML, and then check if there is a header that allows us to pass it to the user. So one could argue its "safer" to first check credentials and then fetch the data (albeit a bit slower). And I think easy delpoyment is important. Cross domain is only really important for intranets. 95% of the time this will be internet XML services, whom you can already access from any domain by using a proxy script (foo.com/foo.html reads in foo.com/foo.jsp, which calls bar.com/xml.php). So the only people we want to protect is intranet xml services, and we don't want to allow access to those without permission.
Received on Thursday, 10 March 2005 08:18:16 UTC