- From: Mike West <mkwst@google.com>
- Date: Mon, 3 Nov 2014 13:51:24 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cvHR7k-uCWz0qA5WHAFTN8G8wjZJtDKqnzB8BqLpQkgQ@mail.gmail.com>
https://github.com/w3c/webappsec/commit/aac819b28287e8fd3a9ebad2666336e2bc77a24b -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Mon, Nov 3, 2014 at 12:38 PM, Mike West <mkwst@google.com> wrote: > On Fri, Oct 31, 2014 at 8:55 AM, Anne van Kesteren <annevk@annevk.nl> > wrote: > >> > CORS isn't particularly relevant to either CSP or MIX, is it? Both >> intend to >> > block requests before they hit the network; CORS should never have a >> chance >> > to take effect. >> >> open() threw in some implementations for cross-origin URLs making it >> harder to introduce CORS. Having open() throw for the URL argument for >> anything other than parsing reasons is just bad news. >> > > Ok, this makes sense. Given the theoretical future world in which mixed > content blocks some amazing feature (perhaps the IoT discussion in that > other thread, for instance), we should drop the exception. Thanks for > arguing with me. :) > > -mike > > -- > Mike West <mkwst@google.com> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) >
Received on Monday, 3 November 2014 12:52:13 UTC