[whatwg/fetch] Should errors be considered same-origin or cross-origin? (#848) from Matt Falkenhagen on 2018-12-11 (public-webapps-github@w3.org from December 2018)

From: Matt Falkenhagen <notifications@github.com>
Date: Tue, 11 Dec 2018 06:02:33 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/848@github.com>

This came up in a Blink [Intent to Ship](https://groups.google.com/a/chromium.org/d/msg/blink-dev/7OSy00oxVpk/siufiQVBBwAJ).

HTML defines [CORS-same-origin](https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-same-origin) in a way that excludes 'error' responses. As a result, stylesheets that fail to load are considered cross-origin, so stylesheet.cssRules will throw a SecurityError.

Is this the recommended way specs interpret the Fetch response type 'error', and if so why?

I could imagine an alternative design we have 'error' and 'opaqueerror', where 'error' is network error from a same-origin URL and opaqueerror is a network error from a cross-origin URL. Was that type of design considered and rejected?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/848

Received on Tuesday, 11 December 2018 14:03:00 UTC