[Bug 21147] WebSocket API could provide a method to get the HTTP response code when it's not 101 from bugzilla@jessica.w3.org on 2013-03-04 (public-webapps-bugzilla@w3.org from March 2013)

From: <bugzilla@jessica.w3.org>
Date: Mon, 04 Mar 2013 06:04:52 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-21147-2532-OHKT73jJ3i@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21147

Takashi Toyoshima <toyoshim@chromium.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |toyoshim@chromium.org

--- Comment #3 from Takashi Toyoshima <toyoshim@chromium.org> ---
(In reply to comment #2)
> What I consider useful is that the JS code can get the HTTP status code to
> inform the user (for example 403 could mean "You are not authorized to
> connect to this WebSocket server").

It might be useful, but at the same time, it means that a malicious script can
attack an arbitrary HTTP page using HTTP auth by using WebSocket. From the
viewpoint of security, I believe that we should not expose HTTP response code
to JavaScript.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Monday, 4 March 2013 06:04:57 UTC