- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 25 Jul 2010 22:40:08 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Alexey Proskuryakov <ap@webkit.org>, Webapps WG <public-webapps@w3.org>
On Sun, Jul 25, 2010 at 2:33 PM, Anne van Kesteren <annevk@opera.com> wrote: > On Wed, 21 Jul 2010 23:54:43 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> >> On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov <ap@webkit.org> >> wrote: >>> >>> 20.07.2010, в 14:37, Jonas Sicking написал(а): >>> >>>> However I haven't been able to find a clear definition of what counts >>>> as a "network error". Does this include successful HTTP requests that >>>> return 4xx or 5xx status codes? Or just errors in the lower level of >>>> the stack, such as aborted TCP connections? >>> >>> >>> FWIW, I've been always assuming the latter. Blocking 4xx and 5xx >>> responses would mean having a rather unexpected difference between same >>> origin and cross origin XMLHttpRequest (the former lets JS code see such >>> responses). >> >> I'm fairly certain that when we discussed this at the F2F in Redmond, >> we talked about 4xxs aways resulting in failed requests. And that this >> solved some security issues. >> >> However I could be misremembering, or we could have changed our minds >> later. >> >> Definitely would like to hear others speak up. > > I don't remember that to be honest. CORS was always meant as some kind of > layer on top, not interfering with normal HTTP response codes. I do agree I > should clarify that though. I don't think we would be interfering with HTTP either way. Would be great to hear how you are intending to clarify this. I.e. if a 404 response with CORS headers are exposed to the requesting site. / Jonas
Received on Monday, 26 July 2010 05:41:05 UTC