W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Modifications to script APIs

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 31 Oct 2014 08:55:54 +0100
Message-ID: <CADnb78g7OsnUxvmDYCdxbXG5QUdtEHp6vww4S-6OYpB5BDmkhw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 30, 2014 at 8:30 PM, Mike West <mkwst@google.com> wrote:
> According to https://code.google.com/p/chromium/issues/detail?id=389326#c6,
> IE throws, and at least one developer was confused that Chrome didn't.

That seems like a bug in XMLHttpRequest. I now remember my original
argument and I wish you guys used Bugzilla so this would have been
resolved then. This is a layering violation. Mixed content checking
happens in Fetch, which happens as a result of send(). Yes, we can
special case a few APIs and do it earlier but in the end that seems
like a bad solution. We don't want open() to throw for ever more
things. We want it to remain a consistent API.


> CORS isn't particularly relevant to either CSP or MIX, is it? Both intend to
> block requests before they hit the network; CORS should never have a chance
> to take effect.

open() threw in some implementations for cross-origin URLs making it
harder to introduce CORS. Having open() throw for the URL argument for
anything other than parsing reasons is just bad news.


-- 
https://annevankesteren.nl/
Received on Friday, 31 October 2014 07:56:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC