W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Modifications to script APIs

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 31 Oct 2014 08:55:54 +0100
Message-ID: <CADnb78g7OsnUxvmDYCdxbXG5QUdtEHp6vww4S-6OYpB5BDmkhw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 30, 2014 at 8:30 PM, Mike West <mkwst@google.com> wrote:
> According to https://code.google.com/p/chromium/issues/detail?id=389326#c6,
> IE throws, and at least one developer was confused that Chrome didn't.

That seems like a bug in XMLHttpRequest. I now remember my original
argument and I wish you guys used Bugzilla so this would have been
resolved then. This is a layering violation. Mixed content checking
happens in Fetch, which happens as a result of send(). Yes, we can
special case a few APIs and do it earlier but in the end that seems
like a bad solution. We don't want open() to throw for ever more
things. We want it to remain a consistent API.

> CORS isn't particularly relevant to either CSP or MIX, is it? Both intend to
> block requests before they hit the network; CORS should never have a chance
> to take effect.

open() threw in some implementations for cross-origin URLs making it
harder to introduce CORS. Having open() throw for the URL argument for
anything other than parsing reasons is just bad news.

Received on Friday, 31 October 2014 07:56:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC