Re: [CORS] What constitutes a "network error"?

On Sun, Jul 25, 2010 at 2:33 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Wed, 21 Jul 2010 23:54:43 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov <ap@webkit.org>
>> wrote:
>>>
>>> 20.07.2010, в 14:37, Jonas Sicking написал(а):
>>>
>>>> However I haven't been able to find a clear definition of what counts
>>>> as a "network error". Does this include successful HTTP requests that
>>>> return 4xx or 5xx status codes? Or just errors in the lower level of
>>>> the stack, such as aborted TCP connections?
>>>
>>>
>>> FWIW, I've been always assuming the latter. Blocking 4xx and 5xx
>>> responses would mean having a rather unexpected difference between same
>>> origin and cross origin XMLHttpRequest (the former lets JS code see such
>>> responses).
>>
>> I'm fairly certain that when we discussed this at the F2F in Redmond,
>> we talked about 4xxs aways resulting in failed requests. And that this
>> solved some security issues.
>>
>> However I could be misremembering, or we could have changed our minds
>> later.
>>
>> Definitely would like to hear others speak up.
>
> I don't remember that to be honest. CORS was always meant as some kind of
> layer on top, not interfering with normal HTTP response codes. I do agree I
> should clarify that though.

I don't think we would be interfering with HTTP either way.

Would be great to hear how you are intending to clarify this. I.e. if
a 404 response with CORS headers are exposed to the requesting site.

/ Jonas

Received on Monday, 26 July 2010 05:41:05 UTC