- From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
- Date: Mon, 20 Mar 2006 22:44:56 +1100
Gervase Markham wrote: > Douglas Crockford wrote: >> The JSONRequest does only one thing: > <snip> > > Are you planning to take the excellent advice from <I forget who> > to change the name? That was me. Nice to see I'm quite memorable :-) > The name XmlHttpRequest sucks because it doesn't > necessarily return XML, and it doesn't have to be over HTTP. I agree, but considering we're stuck with it... > Why not just call it "Request", Why not just reuse XMLHttpRequest? > and have an API to set the Accept: header, XHR already does. var r = new XMLHttpRequest(); r.open("post", "http://example.org/json") r.setRequestHeader("Accept", "application/json"); r.setRequestHeader("Content-Type", "application/json") r.send(jsonData); To make XMLHttp as secure as JSONRequest claims to be (assuming for the moment that the proposal can be made completely secure), we would just need to find a way to tell the UA to allow cross domain access for XHR under certain conditions by meeting the criteria in Security section of the JSONRequest proposal. e.g. Don't send cookies, usernames, passwords, etc., prevent access to detailed error messages from other domains, help prevent DoS attacks to other domains using random delays between requests and address any other security concerns raised. That way, if the conditions are met by both the script and server, the UA could allow access to the response, otherwise treat it as an XSS attack of some sort and deny it. -- Lachlan Hunt http://lachy.id.au/
Received on Monday, 20 March 2006 03:44:56 UTC