W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [MIX] Consider all CORS requests "active"

From: Jake Archibald <jaffathecake@gmail.com>
Date: Fri, 11 Jul 2014 11:02:13 +0100
Message-ID: <CAJ5xic97zxVr7Q+zGP1EdJG3iP=9-ZO8o5D6ygm-JWatdyURZw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 11 July 2014 09:27, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Jul 10, 2014 at 2:39 PM, Mike West <mkwst@google.com> wrote:
> > This section notes that we'd throw exceptions synchronously when we
> > can determine that a request would be blocked. That is, if XHR
> > requests an HTTP resource on an HTTPS page, we'd fail the call to
> > `open()`.
> >
> > I think we'd still want to do that.
>
> Why? Throwing like that (back then for cross-origin URLs) almost
> prevented us introducing CORS in the way we did. MIX should be
> strictly a Fetch-level affair in my opinion. Let's not introduce it in
> several layers.
>

Agreed. Also, newer APIs of this sort will be promise-based (fetch,
cache.add) and they should never synchronously throw, even if an error can
be discovered synchronously.
Received on Friday, 11 July 2014 10:02:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC