W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: [MIX] Consider all CORS requests "active"

From: Mike West <mkwst@google.com>
Date: Tue, 22 Jul 2014 12:48:59 +0200
Message-ID: <CAKXHy=fguEaccWbWEVo_E-hkcuSSRiT1PiB2C8PZX4F9SLfH2g@mail.gmail.com>
To: Jake Archibald <jaffathecake@gmail.com>
Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jul 22, 2014 at 12:40 PM, Jake Archibald <jaffathecake@gmail.com> wrote:
> Looks great to me.

Hooray!

> In https://w3c.github.io/webappsec/specs/mixedcontent/#category-blockable, I
> don't think we need:
>
> * ServiceWorkers - we don't allow them on http pages & they can't be on
> other origins
> * Data - doesn't the CORS rule take care of this? (except WebSockets)

Indeed. These are double-blocked!

It's redundant, but I think dropping 'serviceworker',
'xmlhttprequest', and 'eventsource' from the "blockable" category
would be more confusing than leaving them there, even though they will
technically be blocked in a slightly different way than, say,
'script'.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 22 July 2014 10:49:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC