W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Modifications to script APIs

From: Mike West <mkwst@google.com>
Date: Thu, 30 Oct 2014 20:30:22 +0100
Message-ID: <CAKXHy=e+8ZfOx8Qgaorg3rtKSf3FMyRxiHr8ZeMrkr5=7zruBg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 30, 2014 at 3:14 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Because a) it's easier to completely break existing scripts that way.
> They can probably deal with a network error, but not by having open()
> throw.

According to https://code.google.com/p/chromium/issues/detail?id=389326#c6,
IE throws, and at least one developer was confused that Chrome didn't.

*shrug* If I need to wait for the network to tell me something, then
modeling it strictly as a network failure makes sense. If, on the other
hand, I know a priori that the load will be blocked, telling the developer
immediately seems like a reasonable thing to do. If this was a promise
based API, I'd say reject. Since it's not, throwing seems like the right
thing to do.

And b) because failing in send() is what allows things like
> CORS to exist.

CORS isn't particularly relevant to either CSP or MIX, is it? Both intend
to block requests before they hit the network; CORS should never have a
chance to take effect.

Received on Thursday, 30 October 2014 19:31:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC