On Feb 16, 2010, at 7:44 AM, Anne van Kesteren wrote:
I introduced a new constructor argument for XMLHttpRequest, named
anon. This is based on the earlier thread where I suggested that UMP
is not needed if we make this small enhancement to XMLHttpRequest.
Basically, if the parameter is set to true, the "XMLHttpRequest
origin" is forced to be a unique identifier, setting a username and
password through open() will throw an INVALID_ACCESS_ERR, and
setting withCredentials will likewise throw an INVALID_ACCESS_ERR.
All the other desired properties follow automatically. (In fact, the
changes to open() would not have been needed.)
Does it also force the credentials flag to false? I assume the
combination of anon flag on and credentials flag on does not make sense.
Now we introduced this I wonder if implementors are willing to
consider to:
A. Remove withCredentials. The use case for this feature is now
rather small and I still think it is rather ugly.
withCredentials defaults to false. I think making it default to true
is probably too risky given deployed implementations. If we remove it
and leave it defaulting to false, then there would be no way to make a
request with user credentials.
B. Also throw an INVALID_ACCESS_ERR for username and password
arguments to open() when the URL provided is non same-origin. Now
they are just ignored, but it seems better to throw so people are
not confused why things are not working.
No opinion on this either way.
Regards,
Maciej
