W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2005

[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

From: Doron Rosenberg <doronr@gmail.com>
Date: Thu, 10 Mar 2005 10:18:16 -0600
Message-ID: <6814aebd050310081871be7930@mail.gmail.com>
Well, the code in Mozilla is well tested and already used in the wild.

The benefit of the extra request is that we don't fetch any data
unless we are allowed to.  In your model, we would fetch the XML, and
then check if there is a header that allows us to pass it to the user.

So one could argue its "safer" to first check credentials and then
fetch the data (albeit a bit slower).

And I think easy delpoyment is important.  Cross domain is only really
important for intranets.  95% of the time this will be internet XML
services, whom you can already access from any domain by using a proxy
script (foo.com/foo.html reads in foo.com/foo.jsp, which calls
bar.com/xml.php).  So the only people we want to protect is intranet
xml services, and we don't want to allow access to those without
permission.
Received on Thursday, 10 March 2005 08:18:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:39 UTC