[whatwg] JSONRequest
Lachlan Hunt
lachlan.hunt at lachy.id.au
Mon Mar 20 03:44:56 PST 2006
Gervase Markham wrote:
> Douglas Crockford wrote:
>> The JSONRequest does only one thing:
> <snip>
>
> Are you planning to take the excellent advice from <I forget who>
> to change the name?
That was me. Nice to see I'm quite memorable :-)
> The name XmlHttpRequest sucks because it doesn't
> necessarily return XML, and it doesn't have to be over HTTP.
I agree, but considering we're stuck with it...
> Why not just call it "Request",
Why not just reuse XMLHttpRequest?
> and have an API to set the Accept: header,
XHR already does.
var r = new XMLHttpRequest();
r.open("post", "http://example.org/json")
r.setRequestHeader("Accept", "application/json");
r.setRequestHeader("Content-Type", "application/json")
r.send(jsonData);
To make XMLHttp as secure as JSONRequest claims to be (assuming for the
moment that the proposal can be made completely secure), we would just
need to find a way to tell the UA to allow cross domain access for XHR
under certain conditions by meeting the criteria in Security section of
the JSONRequest proposal.
e.g. Don't send cookies, usernames, passwords, etc., prevent access to
detailed error messages from other domains, help prevent DoS attacks to
other domains using random delays between requests and address any other
security concerns raised.
That way, if the conditions are met by both the script and server, the
UA could allow access to the response, otherwise treat it as an XSS
attack of some sort and deny it.
--
Lachlan Hunt
http://lachy.id.au/
More information about the whatwg
mailing list