[whatwg] JSONRequest

Lachlan Hunt lachlan.hunt at lachy.id.au
Sat Mar 11 15:21:51 PST 2006

Douglas Crockford wrote:
> I am proposing a new mechanism for doing data transport in Ajax/Comet
> applications. It is called JSONRequest. It is a minimal communications
> facility that can be exempted from the Same Origin Policy.
> You can read about it here: http://json.org/JSONRequest.html

It's an interesting concept, I just have a few issues with it.

You neglected to define the character encoding to be used for the POST 
request sent by the browser.  You mention that it can send 250,000 
Unicode characters and that the response must be UTF-8, does this mean 
that the request must also be UTF-8?

I agree that it's a good idea to ignore cookies and that is a major 
security feature of this proposal, but would it not be possible to 
introduce that same feature into XMLHttpRequest?  Wouldn't it be better 
to address the security concerns with XMLHttpRequest in order to allow 
it limited access to any domain, than to introduce a new function?

I don't like the name "JSONRequest".  It was a mistake to include "XML" 
and "Http" in XMLHttpRequest, since the name unnecessarily describes the 
format and the protocol used by the function, although we are stuck with 
the name for backwards compatibility reasons.  In reality XMLHttpRequest 
is used for many different formats and the protocol is defined by the URI.

Although, as it currently stands, this proposal is limited to JSON, what 
exactly makes JSON a more secure format than XML or anything else; and, 
therefore, why must it be restricted to that format and thus included in 
the function name?

Lachlan Hunt

More information about the whatwg mailing list