W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [MIX] Consider all CORS requests "active"

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 11 Jul 2014 10:27:02 +0200
Message-ID: <CADnb78i9HnvLnXSUjkJfDgzr7pUFhTVzUipu90u7QzOTDqKRwg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Jake Archibald <jaffathecake@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jul 10, 2014 at 2:39 PM, Mike West <mkwst@google.com> wrote:
> This section notes that we'd throw exceptions synchronously when we
> can determine that a request would be blocked. That is, if XHR
> requests an HTTP resource on an HTTPS page, we'd fail the call to
> `open()`.
> I think we'd still want to do that.

Why? Throwing like that (back then for cross-origin URLs) almost
prevented us introducing CORS in the way we did. MIX should be
strictly a Fetch-level affair in my opinion. Let's not introduce it in
several layers.

Received on Friday, 11 July 2014 08:27:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:39 UTC