- From: Mike West <mkwst@google.com>
- Date: Thu, 30 Oct 2014 15:05:52 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Thursday, 30 October 2014 14:06:43 UTC
You did. I'm still not sure I agree with you. :) If we know in `open()` that we're not going to load the resource (because the URL is a priori insecure), why not throw? If we decide not to throw, we'll need to change CSP as well; I believe we do the same thing. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Oct 30, 2014 at 2:48 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > I'm pretty sure I raised this before. > > Throwing from XMLHttpRequest's open() method for something that is > effectively a network error is not acceptable. This should happen > asynchronously during send() as part of the integration between Fetch > and Mixed Content. > > The same comment applies to EventSource. > > WebSocket is somewhat harder since it does not go through Fetch, but I > think we want the same principle to apply there. > > > -- > https://annevankesteren.nl/ > >
Received on Thursday, 30 October 2014 14:06:43 UTC