I introduced a new constructor argument for XMLHttpRequest, named anon.
This is based on the earlier thread where I suggested that UMP is not
needed if we make this small enhancement to XMLHttpRequest.
Basically, if the parameter is set to true, the "XMLHttpRequest origin" is
forced to be a unique identifier, setting a username and password through
open() will throw an INVALID_ACCESS_ERR, and setting withCredentials will
likewise throw an INVALID_ACCESS_ERR. All the other desired properties
follow automatically. (In fact, the changes to open() would not have been
needed.)
Now we introduced this I wonder if implementors are willing to consider to:
A. Remove withCredentials. The use case for this feature is now rather
small and I still think it is rather ugly.
B. Also throw an INVALID_ACCESS_ERR for username and password arguments to
open() when the URL provided is non same-origin. Now they are just
ignored, but it seems better to throw so people are not confused why
things are not working.
Feedback would be much appreciated!
--
Anne van Kesteren
http://annevankesteren.nl/
