W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [MIX] Modifications to script APIs

From: Mike West <mkwst@google.com>
Date: Mon, 3 Nov 2014 12:38:25 +0100
Message-ID: <CAKXHy=dgR=JjN5cCH8u0oFVW7TjqRGZz+v=Hos9bod-DGL6ygw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Fri, Oct 31, 2014 at 8:55 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> > CORS isn't particularly relevant to either CSP or MIX, is it? Both
> intend to
> > block requests before they hit the network; CORS should never have a
> chance
> > to take effect.
>
> open() threw in some implementations for cross-origin URLs making it
> harder to introduce CORS. Having open() throw for the URL argument for
> anything other than parsing reasons is just bad news.
>

Ok, this makes sense. Given the theoretical future world in which mixed
content blocks some amazing feature (perhaps the IoT discussion in that
other thread, for instance), we should drop the exception. Thanks for
arguing with me. :)

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 3 November 2014 11:39:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC