(Quotes reordered.)
On May 10, 2008, at 01:46 , Chris Wilson wrote:
* Chris Wilson wrote:
Even according to the designer of Access Control, the feature was
designed for non browser applications, and the idea of enabling AC
for
the browser platform by applying Access Control to XHR “came as an
afterthought.” [7].
[7] http://lists.w3.org/Archives/Public/public-webapi/2008Mar/0154.html
Henri is talking about his validator.nu site, not about "Access
Control"
(neither is he "the designer of Access Control").
Right you are, on both points. My apologies.
Moreover, the way my message was quoted misses the point of my
message. The point is this:
I designed RESTful Web service APIs according to best practice with
knowledge that the APIs would be called by untrusted HTTP clients out
there. Those HTTP clients could be of any kind from my point of view--
currently browsers just refuse.
With access-control, I was able to add a policy that will make
browsers not refuse in one place without changing my RESTful API
design and without changing the way a client script programmer sees
the API.
All three competing proposals (XDR, JSONRequest and postMessage
+iframe) would require me to add a new API design alongside the ones I
already have and tailor it to the whims of the competing proposal.
--
Henri Sivonen
[EMAIL PROTECTED]
http://hsivonen.iki.fi/
