Microsoft’s lead PM for XHR/Ajax sneaks in some FUD in a new Securing Cross Site XMLHttpRequest posting on the IE Blog that otherwise gives a succinct and fairly balanced overview of the shared problem case that various competing “cross-site request” spec proposals (Microsoft’s XDR/XDomainRequest proposal, the W3C Access Control for Cross-Site Requests draft, and Doug Crockford’s JSONRequest) are all trying to solve.

It’s great to see that Sunava includes in that posting a call to join the W3C Web Applications Working group. It’s less great to see the following sentence in the posting:

As can be expected with securing a large cross section of cross domain scenarios, a number of concerns have been identified with the CS-XHR [W3C Access-Control for Cross-Site Requests] draft by the web development community, the IE team members and members of the Web Apps Working Group.

What’s not great about that sentence is what it obscures:

• many of the “concerns” raised about the Access-Control spec have been little more than FUD
• a number of the non-FUD concerns were based on simple misunderstandings of the spec
• the remaining concerns have already been addressed/rebutted repeatedly by implementors such as Jonas Sicking (who wrote the code for the Access-Control support in Mozilla), Kris Zip, and others
• a number of detailed and substantial concerns have also been identified with the Microsoft XDomainRequest proposal (by Kris Zyp and several other people), but those concerns have yet to be adequately addressed in any responses from Microsoft

We (the W3C WebApps WG) will be having a face-to-face meeting next week in Redmond (hosted by Microsoft) to continue the discussion.