- From: Mike West <mkwst@google.com>
- Date: Mon, 3 Nov 2014 12:38:25 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Monday, 3 November 2014 11:39:13 UTC
On Fri, Oct 31, 2014 at 8:55 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > > CORS isn't particularly relevant to either CSP or MIX, is it? Both > intend to > > block requests before they hit the network; CORS should never have a > chance > > to take effect. > > open() threw in some implementations for cross-origin URLs making it > harder to introduce CORS. Having open() throw for the URL argument for > anything other than parsing reasons is just bad news. > Ok, this makes sense. Given the theoretical future world in which mixed content blocks some amazing feature (perhaps the IoT discussion in that other thread, for instance), we should drop the exception. Thanks for arguing with me. :) -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 3 November 2014 11:39:13 UTC