BOSH is a specification that defines how XMPP can be used over HTTP. It’s obviously written by people who know what they’re talking about, because they’ve got good requirements, and get into great detail about the design choices they’ve made. Unfortunately, BOSH makes the one big mistake that so many others make; treating HTTP as a transport protocol. To wit;
POST /webclient HTTP/1.1 Host: httpcm.jabber.org Accept-Encoding: gzip, deflate Content-Type: text/xml; charset=utf-8 Content-Length: 188 <body rid='1249243562' sid='SomeSID' xmlns='http://jabber.org/protocol/httpbind'> <message to='contact@example.com' xmlns='jabber:client'> <body>I said "Hi!"</body> </message> <message to='friend@example.com' xmlns='jabber:client'> <body>I said "Hi!"</body> </message> </body>
(you might also note that all of their example requests are POSTs to /webclient – a warning sign if ever there was one)
The intent of that message is to send two messages, one to each of the recipients at example.com. If we were treating HTTP as an application protocol, that would be done like this;
POST mailto:contact@example.com HTTP/1.1 Host: httpcm.jabber.org Accept-Encoding: gzip, deflate Content-Type: text/xml; charset=utf-8 Content-Length: nnn <body rid='1249243562' sid='SomeSID' xmlns='http://jabber.org/protocol/httpbind'> <message xmlns='jabber:client'> <body>I said "Hi!"</body> </message> <body> POST mailto:friend@example.com HTTP/1.1 Host: httpcm.jabber.org Accept-Encoding: gzip, deflate Content-Type: text/xml; charset=utf-8 Content-Length: mmm <body rid='1249243562' sid='SomeSID' xmlns='http://jabber.org/protocol/httpbind'> <message xmlns='jabber:client'> <body>I said "Hi!"</body> </message> </body>
Alternately, if you don’t like proxies, the mailto URIs could be swapped out for an http URI specific to each mail address. But the point is that HTTP semantics be reused by recasting XMPP to them, rather than the current approach of grafting XMPP on top (read: obliterating). Don’t like two messages? Try pipelining them. Can’t pipeline? Does some other feature not map well onto HTTP in this way? Then it wasn’t meant to be.
We use HTTP (and the Web) because we want to be part of the Web; participate in the network effects, make information freely available (like, say, my presence status), etc.. We don’t do it because we need a way to get past firewalls. Good admins will avoid deploying software behind their firewall which subverts the intent of the firewall.