Re: [whatwg/xhr] Integrate feature policy (#177) from Anne van Kesteren on 2017-12-19 (public-webapps-github@w3.org from December 2017)

From: Anne van Kesteren <notifications@github.com>
Date: Tue, 19 Dec 2017 07:52:26 -0800
To: whatwg/xhr <xhr@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/xhr/pull/177/review/84493458@github.com>

annevk commented on this pull request.



> @@ -1021,6 +1022,13 @@ method must run these steps:
   <p>Otherwise, if the <a>synchronous flag</a> is set, run these substeps:
 
   <ol>
+   <li>
+    <p>If <a>context object</a>'s <a>relevant settings object</a> has a
+    <a>responsible document</a> and it is <em>not</em>
+    <a>allowed to use</a> the <a>Synchronous XMLHttpRequest</a>
+    feature, then run <a>handle response end-of-body</a> for a <a>network
+    error</a> and return.

It seems nicer to throw during `open()`, no?

> @@ -2031,6 +2039,19 @@ attributes initialized to false, so it is suggested that for consistency all
 {{ProgressEvent}} interface do the same.
 
 
+<h3 id=feature-policy>Feature Policy Integration</h3>
+
+<p>This specification defines a policy-controlled feature named <dfn>Synchronous
+XMLHttpRequest</dfn>.

Are all features supposed to follow this naming convention?

> @@ -2031,6 +2039,19 @@ attributes initialized to false, so it is suggested that for consistency all
 {{ProgressEvent}} interface do the same.
 
 
+<h3 id=feature-policy>Feature Policy Integration</h3>
+
+<p>This specification defines a policy-controlled feature named <dfn>Synchronous
+XMLHttpRequest</dfn>.
+
+<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr".

xref "feature name"

And make it `"<code>sync-xhr</code>"`.

> @@ -2031,6 +2039,19 @@ attributes initialized to false, so it is suggested that for consistency all
 {{ProgressEvent}} interface do the same.
 
 
+<h3 id=feature-policy>Feature Policy Integration</h3>
+
+<p>This specification defines a policy-controlled feature named <dfn>Synchronous
+XMLHttpRequest</dfn>.
+
+<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr".
+
+<p>The default allowlist for Synchronous XMLHttpRequest is <code>*</code>.

xref "default allowlist" (elsewhere we use safelist for things like this, is this different enough to use a new name?)

> @@ -2031,6 +2039,19 @@ attributes initialized to false, so it is suggested that for consistency all
 {{ProgressEvent}} interface do the same.
 
 
+<h3 id=feature-policy>Feature Policy Integration</h3>
+
+<p>This specification defines a policy-controlled feature named <dfn>Synchronous
+XMLHttpRequest</dfn>.
+
+<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr".
+
+<p>The default allowlist for Synchronous XMLHttpRequest is <code>*</code>.
+
+<p>When disabled in a document, calling send() on an XMLHttpRequest object with
+the synchronous flag set MUST cause a DOMException named
+ <code>NetworkError</code> to be thrown.

Please remove this. We don't want duplicate requirements.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/xhr/pull/177#pullrequestreview-84493458

Received on Tuesday, 19 December 2017 15:53:14 UTC