Guild Wars 2

StevenL.3761:

Before you do this, realize that older versions of IE are reaching the end of their shelf life.

• https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
• https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer

At this time, Vista SP2 is the only version of Windows on which IE9 is still supported. But only until April 2017, which is when support for Vista itself stops.

• https://support.microsoft.com/lifecycle/?C2=11732

After April 2017, even Microsoft won’t support IE9, so why should you?

Currently IE9 and below form 10% of the market share, a considerable amount. That’s why. Then again, I suppose you’re right: it’s too much trouble for what it’s worth.

I am currently working on a JavaScript-based tool using v2 of the API. I’m aiming for maximum browser compatibility and the tool works on nearly every browser since 2008… except IE9 and lower.
The problem lies in the fact that IE9 (and below) use the (now-deprecated) XDomainRequest which tries to prevent mixed content security threats by disallowing HTTPS pages to request information from HTTP sources, but also the other way around (which is absolutely unnecessary).¹
I intend to distribute my tool and I predict many of its users will not be in possession of a TLS certificate, essentially blocking 10% of its users from using my tool on their website.

Is it possible to expose the API without TLS? Because of security issues I would imagine the authenticated endpoints would not be accessible over HTTP, but for example the items endpoint does not contain any sensitive data and as far as I know cookies are not being used.

¹ http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx