On Tue, 16 Feb 2010 19:53:22 +0100, Jonas Sicking <[email protected]> wrote:
Hmm.. I have three concerns.
1. There's a risk of breaking existing content
2. I'd fairly strongly prefer to default to *not* sending credentials.
You get that if you use the new constructor.
It's better that people by default get a simpler security model, and
if really needed, opt in to getting a more complex one. I wouldn't
want people to end up setting up the server to accepting requests with
credentials because they don't know about credential-less requests, or
because the back end developer is a stronger developer than the front
end developer and so the team ends up deciding to make the change
there.
I don't really get the latter justification. The back end can always
ignore the credentials.
3. The new syntax is fairly unintuitive. I would prefer to use a
separate constructor, like AnonXMLHttpRequest.
Given the limited new functionality I thought it would be best to not
further clutter the global object.
--
Anne van Kesteren
http://annevankesteren.nl/
