[whatwg] JSONRequest

Lachlan Hunt lachlan.hunt at lachy.id.au
Mon Mar 20 03:44:56 PST 2006

Gervase Markham wrote:
> Douglas Crockford wrote:
>> The JSONRequest does only one thing:
> <snip>
> Are you planning to take the excellent advice from <I forget who>
> to change the name? 

That was me.  Nice to see I'm quite memorable :-)

> The name XmlHttpRequest sucks because it doesn't
> necessarily return XML, and it doesn't have to be over HTTP.

I agree, but considering we're stuck with it...

> Why not just call it "Request",

Why not just reuse XMLHttpRequest?

> and have an API to set the Accept: header,

XHR already does.

var r = new XMLHttpRequest();
r.open("post", "http://example.org/json")
r.setRequestHeader("Accept", "application/json");
r.setRequestHeader("Content-Type", "application/json")

To make XMLHttp as secure as JSONRequest claims to be (assuming for the 
moment that the proposal can be made completely secure), we would just 
need to find a way to tell the UA to allow cross domain access for XHR 
under certain conditions by meeting the criteria in Security section of 
the JSONRequest proposal.

e.g. Don't send cookies, usernames, passwords, etc., prevent access to 
detailed error messages from other domains, help prevent DoS attacks to 
other domains using random delays between requests and address any other 
security concerns raised.

That way, if the conditions are met by both the script and server, the 
UA could allow access to the response, otherwise treat it as an XSS 
attack of some sort and deny it.

Lachlan Hunt

More information about the whatwg mailing list