[OpenAjaxSecurity] W3C Access Control vs JSONRequest

Kris Zyp kzyp at sitepen.com
Wed Jan 9 09:56:13 PST 2008

First, thanks for spearheading these discussions, I appreciate it.
> Yes, your table is still useful. Any chance you can correct the statement about cookies?
Oh yeah, I guess I do have edit permission on my site ;). Ok, it is fixed.

> One *big* advantage I see to JSONRequest is that the industry could start using its APIs immediately via an Ajax library that delivers
> JSONRequest. This new Ajax library would check to see if the browser supports JSONRequest natively, otherwise the features are 
> accomplished by using existing features (i.e., dynamic script tag) under the hood. You should know more about this than anyone since 
> you have implemented JSONRequest in JavaScript within CrossSafe: http://code.google.com/p/crosssafe/. :-) To me, making magic 
> work in today's browsers (versus waiting years for a new spec to be implemented) is one of the tenets of Ajax.
Yeah, that's right, I did write that, I should be more of proponent of JSONRequest :). I have been thinking about how I could adapt CrossSafe to the XHR API, it would require a responseJSON property (another reason why I thought to lobby for it). But, you are right, they are definitely some distinct advantages to the JSONRequest, and the ability to implement the current API to some degree with current technology is indeed one of them.
But I must say, I am still undecided on which one I like more.
Also, I think there are pros and cons to have two technologies out there, at least in FF3. You are right that it is advantageous to have one good solution, rather than two solutions that people need to pick from. However, the industry will not really have to decide between them until all browsers implement something, and having both techs implemented in FF3 may be a good testbed for other browsers to decide which one to choose (although doesn't the spec lead work for Opera, I am sure their path is already determined). Seeing how an implementation interpretates the W3C/AC suggestion about protecting private data in headers/cookies would be interesting.
Anyway, just some thoughts, sorry I haven't any decent conclusions :). Thanks again for your initiative, Jon, you have some good points.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080109/9b576892/attachment.html 

More information about the security mailing list