- From: Mike West <mkwst@google.com>
- Date: Thu, 30 Oct 2014 20:30:22 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Thursday, 30 October 2014 19:31:09 UTC
On Thu, Oct 30, 2014 at 3:14 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > > Because a) it's easier to completely break existing scripts that way. > They can probably deal with a network error, but not by having open() > throw. According to https://code.google.com/p/chromium/issues/detail?id=389326#c6, IE throws, and at least one developer was confused that Chrome didn't. *shrug* If I need to wait for the network to tell me something, then modeling it strictly as a network failure makes sense. If, on the other hand, I know a priori that the load will be blocked, telling the developer immediately seems like a reasonable thing to do. If this was a promise based API, I'd say reject. Since it's not, throwing seems like the right thing to do. And b) because failing in send() is what allows things like > CORS to exist. > CORS isn't particularly relevant to either CSP or MIX, is it? Both intend to block requests before they hit the network; CORS should never have a chance to take effect. -mike
Received on Thursday, 30 October 2014 19:31:09 UTC