Re: [xhr2] AnonXMLHttpRequest()

Tue, 11 May 2010 00:42:09 -0700

On Mon, 10 May 2010 19:13:26 +0200, Mark S. Miller <erig...@google.com> wrote:
On Mon, May 10, 2010 at 4:05 AM, Anne van Kesteren <ann...@opera.com> wrote: 
 http://dev.w3.org/2006/webapi/XMLHttpRequest-2/


In section 3.7.7, you say "Issue: Waiting for EcmaScript". What is this
issue? (Apologies if I have missed a previous discussion of this.)



A native representation of octet data in ECMAScript. (Also needed by  
WebGL, arguably the 2D context API of <canvas>, and elsewhere...)




At <http://dev.w3.org/2006/webapi/XMLHttpRequest-2/#ref-ecmascript> you  
cite

"ECMAScript Language
Specification<http://www.ecma-international.org/publications/standards/Ecma-262.htm>,
Third Edition. ECMA, December 1999." The link in that citation correctly

links to the current EcmaScript spec, the Fifth Edition, December 2009.  
The text in the citation should be updated.


Done.



You note twice "The Cross-Origin Resource Sharing specification [...] for
non same-origin requests." Is it clear from this document that uniform
requests to the requestor's origin qualify as "non same-origin requests"?


Yes, see what the open() algorithm says on XMLHttpRequest origin.



Even if this is precisely stated somewhere, I think the terminology is

confusing. Will readers readily understand that these cases apply to  
uniform requests made to the requestor's origin?



Do you mean if people will understand that this applies for requests using  
AnonXMLHttpRequest() on a resource with origin A to another resource with  
origin A? I think it is pretty clear for implementors that such requests  
are cross-origin as the XMLHttpRequest origin will be a globally unique  
identifier. That is, it is stated in the same style as most of the other  
requirements are. Most of the draft is not really suited for authors at  
the moment. I'd like to have some more interoperability on XMLHttpRequest  
Level 1 before I add little green boxes as HTML5 has.




Can one derive from this spec + CORS that a uniform request must not  
reveal the response to the requestor without a  
"Access-Control-Allow-Origin: *"

header, even if the request is made to the requestor's origin? Perhaps
clearing up the previous confusion will address this point as well.


This seems like the same question.


--
Anne van Kesteren
http://annevankesteren.nl/
























					Reply via email to