W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [CORS] What constitutes a "network error"?

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 25 Jul 2010 22:40:08 -0700
Message-ID: <AANLkTinFr7CfrBZe3AnLUDOOrP-f9g09sJfS7SwHisAP@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Alexey Proskuryakov <ap@webkit.org>, Webapps WG <public-webapps@w3.org>
On Sun, Jul 25, 2010 at 2:33 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Wed, 21 Jul 2010 23:54:43 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov <ap@webkit.org>
>> wrote:
>>> 20.07.2010, в 14:37, Jonas Sicking написал(а):
>>>> However I haven't been able to find a clear definition of what counts
>>>> as a "network error". Does this include successful HTTP requests that
>>>> return 4xx or 5xx status codes? Or just errors in the lower level of
>>>> the stack, such as aborted TCP connections?
>>> FWIW, I've been always assuming the latter. Blocking 4xx and 5xx
>>> responses would mean having a rather unexpected difference between same
>>> origin and cross origin XMLHttpRequest (the former lets JS code see such
>>> responses).
>> I'm fairly certain that when we discussed this at the F2F in Redmond,
>> we talked about 4xxs aways resulting in failed requests. And that this
>> solved some security issues.
>> However I could be misremembering, or we could have changed our minds
>> later.
>> Definitely would like to hear others speak up.
> I don't remember that to be honest. CORS was always meant as some kind of
> layer on top, not interfering with normal HTTP response codes. I do agree I
> should clarify that though.

I don't think we would be interfering with HTTP either way.

Would be great to hear how you are intending to clarify this. I.e. if
a 404 response with CORS headers are exposed to the requesting site.

/ Jonas
Received on Monday, 26 July 2010 05:41:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:10 UTC