[whatwg] ContextAgnosticXmlHttpRequest: an informal RFC

Doron Rosenberg doronr at gmail.com
Thu Mar 10 08:18:16 PST 2005


Well, the code in Mozilla is well tested and already used in the wild.

The benefit of the extra request is that we don't fetch any data
unless we are allowed to.  In your model, we would fetch the XML, and
then check if there is a header that allows us to pass it to the user.

So one could argue its "safer" to first check credentials and then
fetch the data (albeit a bit slower).

And I think easy delpoyment is important.  Cross domain is only really
important for intranets.  95% of the time this will be internet XML
services, whom you can already access from any domain by using a proxy
script (foo.com/foo.html reads in foo.com/foo.jsp, which calls
bar.com/xml.php).  So the only people we want to protect is intranet
xml services, and we don't want to allow access to those without
permission.



More information about the whatwg mailing list