The part that is somewhat confusing to me is the note about XHR not being secure. How is XHR anymore or less secure than an HTML request if both are using https? Maybe I am naive in assuming that rather than having its own handling the whole point of XHR is to use the HTML handling to send/receive non-HTML data (i.e. XHR over https is no more/less secure than HTML over https).
I realize that I basically asked this before, but I think a concise yes or no might help others who try pyjs to know exactly what the "rules" are concerning XHR. In the case of django + pyjs, one may, of course, require some code to get it working. Also, this is probably obvious to most experienced web developers, but browsers have some communication with webservers before sending the actual XHR request that is not done by libraries such as xmlrpclib and jsonrpclib. One example is modern web browsers give an almost instantaneous "server not found" response if a local webserver is down, but jsonrpclib just hangs. This appears to give support to the idea/notion that XHR over https is no less secure than sending username + password to an HTML login page over https. --Jeff
