lachlan.hunt at lachy.id.au
Sat Mar 11 15:21:51 PST 2006
Douglas Crockford wrote:
> I am proposing a new mechanism for doing data transport in Ajax/Comet
> applications. It is called JSONRequest. It is a minimal communications
> facility that can be exempted from the Same Origin Policy.
> You can read about it here: http://json.org/JSONRequest.html
It's an interesting concept, I just have a few issues with it.
You neglected to define the character encoding to be used for the POST
request sent by the browser. You mention that it can send 250,000
Unicode characters and that the response must be UTF-8, does this mean
that the request must also be UTF-8?
I agree that it's a good idea to ignore cookies and that is a major
security feature of this proposal, but would it not be possible to
introduce that same feature into XMLHttpRequest? Wouldn't it be better
to address the security concerns with XMLHttpRequest in order to allow
it limited access to any domain, than to introduce a new function?
I don't like the name "JSONRequest". It was a mistake to include "XML"
and "Http" in XMLHttpRequest, since the name unnecessarily describes the
format and the protocol used by the function, although we are stuck with
the name for backwards compatibility reasons. In reality XMLHttpRequest
is used for many different formats and the protocol is defined by the URI.
Although, as it currently stands, this proposal is limited to JSON, what
exactly makes JSON a more secure format than XML or anything else; and,
therefore, why must it be restricted to that format and thus included in
the function name?
More information about the whatwg