- From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
- Date: Sun, 12 Mar 2006 10:21:51 +1100
Douglas Crockford wrote: > I am proposing a new mechanism for doing data transport in Ajax/Comet > applications. It is called JSONRequest. It is a minimal communications > facility that can be exempted from the Same Origin Policy. > > You can read about it here: http://json.org/JSONRequest.html It's an interesting concept, I just have a few issues with it. You neglected to define the character encoding to be used for the POST request sent by the browser. You mention that it can send 250,000 Unicode characters and that the response must be UTF-8, does this mean that the request must also be UTF-8? I agree that it's a good idea to ignore cookies and that is a major security feature of this proposal, but would it not be possible to introduce that same feature into XMLHttpRequest? Wouldn't it be better to address the security concerns with XMLHttpRequest in order to allow it limited access to any domain, than to introduce a new function? I don't like the name "JSONRequest". It was a mistake to include "XML" and "Http" in XMLHttpRequest, since the name unnecessarily describes the format and the protocol used by the function, although we are stuck with the name for backwards compatibility reasons. In reality XMLHttpRequest is used for many different formats and the protocol is defined by the URI. Although, as it currently stands, this proposal is limited to JSON, what exactly makes JSON a more secure format than XML or anything else; and, therefore, why must it be restricted to that format and thus included in the function name? -- Lachlan Hunt http://lachy.id.au/
Received on Saturday, 11 March 2006 15:21:51 UTC