> > You failed to reply to the XSLT and XBL remarks that the JSON thingie does > not address. These are important use cases.
IMO the JSON use case is a couple of orders of magnitude more important than the XSLT or XBL requirements. JSON is a primary format for cross-site data exchange today, and is likely to grow in usage in the coming years as more people discover its virtues. Overall, I would prefer it if browsers would adopt JSONRequest rather than Access Control. JSONRequest was designed carefully from a security perspective, such as the random delay feature. It achieves its results *without* sending cookies (the cookie feature in Access Control scares lots of us because of CSRF issues). I recognize that the WAF committee has spent lots of time and effort on the existing Access Control, but I think the community would be better served by having browsers implement JSONRequest instead. (JSONRequest would be even better if it allowed XML data in addition to JSON data.) For XSLT and XBL, shouldn't browsers allow cross-site (GET) access in the same way it does for CSS stylesheets and SCRIPT tags? Jon
