
Cross-Site HTTP Requests Now Supported in Firefox - shmichael
https://developer.mozilla.org/en/HTTP_access_control
======
ratsbane
\- Looking forward to using these new HTML-5ish features: storage, location,
workers, accelerometer... It's going to be like web 2.0 all over again.

\- The Mozilla Developer site has a lot of good documentation and examples:
<https://developer.mozilla.org/en/Firefox_3.6_for_developers>

~~~
olegk
Except you can't, since none of that works in IE.

~~~
njharman
Sure you can.

Depends on your target audience. IE has vanishing small market share amongst
several groups such as tech savy, non-MS developers, Apple fanboys, etc.

Also, if those capabilities lead to features that vastly surpass your
competition it'll be easier to own majority of non-IE customers than it would
be going after all customers with generic features.

You don't need every person with a web connection as a customer, you just need
enough to be profitable/successful.

~~~
eli
But if you cater to poor corporate suckers like me, IE still has vast majority
of traffic. It's hard to justify spending any time on features they won't see.

In some industries, IE6 is still the plurality.

~~~
MartinCron
What industry would that be, time travel? :)

Here in the present, IE6 is around 2-3% of visitors.

~~~
dandelany
As scary as this may be:

The financial services industry. I work on a large retail trading site - many
of our customers and a majority of our clients still visit our site in IE6.
They have no choice, and some of them do not even realize they have no choice.

------
idm
whoah, whoah.... I have really wanted to use cross-site http requests, but I'm
having some trouble understanding certain decisions here.

Why are they using a new set of HTTP headers to describe scenarios that are
already covered by HTTP response codes? Why does the client send an Origin
header at all in the first place, when it can be inferred from the referer?
Why does the server respond with a list of allowed origins, when it could
simply send an HTTP response code to say allowed/not allowed/auth
required/etc.

I'm probably missing something, but this just doesn't add up...

EDIT:

Oh - maybe because there isn't a good javascript interface to HTTP response
codes? Well, it sounds like a client-side solution would be to build this
interface, rather than making the server support some weird headers that will
still rely on the client to faithfully perform access control.

------
geuis
I was just playing with this the other day. One interesting this now let's you
do is cross-site basic http authentication if your server is configured to
accept the new headers.

I'm talking to YOU, Twitter...

~~~
bbuffone
This is the problem I see with the cross-domain requests; it puts the
implementation change on the service provider rather than the app provider. If
I was building an application using PHP I don't need to get twitter to change
their server to allow me call their apis, so why is this different.

~~~
notauser
That's less of an issue for intentional APIs (where the API provider is
already doing work for you) than it is for unintentional APIs (rss feeds, any
reasonably clean page you can crawl with jQuery) where the provider will do
nothing to help you.

