W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Modifications to script APIs

From: Mike West <mkwst@google.com>
Date: Thu, 30 Oct 2014 15:05:52 +0100
Message-ID: <CAKXHy=d5P9cRL7KyFE5w0P1F+=b5Uo_dXQk2zrqFz1P9KMVJSQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
You did. I'm still not sure I agree with you. :)

If we know in `open()` that we're not going to load the resource (because
the URL is a priori insecure), why not throw?

If we decide not to throw, we'll need to change CSP as well; I believe we
do the same thing.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Oct 30, 2014 at 2:48 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> I'm pretty sure I raised this before.
>
> Throwing from XMLHttpRequest's open() method for something that is
> effectively a network error is not acceptable. This should happen
> asynchronously during send() as part of the integration between Fetch
> and Mixed Content.
>
> The same comment applies to EventSource.
>
> WebSocket is somewhat harder since it does not go through Fetch, but I
> think we want the same principle to apply there.
>
>
> --
> https://annevankesteren.nl/
>
>
Received on Thursday, 30 October 2014 14:06:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC