W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Modifications to script APIs

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 30 Oct 2014 15:14:04 +0100
Message-ID: <CADnb78i2RttEvu_W1HJ1Y2ahoKzXwgYOFEcuj5FJ3yGkBnh1dA@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 30, 2014 at 3:05 PM, Mike West <mkwst@google.com> wrote:
> You did. I'm still not sure I agree with you. :)
>
> If we know in `open()` that we're not going to load the resource (because
> the URL is a priori insecure), why not throw?
>
> If we decide not to throw, we'll need to change CSP as well; I believe we do
> the same thing.

Because a) it's easier to completely break existing scripts that way.
They can probably deal with a network error, but not by having open()
throw. And b) because failing in send() is what allows things like
CORS to exist.


-- 
https://annevankesteren.nl/
Received on Thursday, 30 October 2014 14:14:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC