- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 31 Oct 2014 08:55:54 +0100
- To: Mike West <mkwst@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 30, 2014 at 8:30 PM, Mike West <mkwst@google.com> wrote: > According to https://code.google.com/p/chromium/issues/detail?id=389326#c6, > IE throws, and at least one developer was confused that Chrome didn't. That seems like a bug in XMLHttpRequest. I now remember my original argument and I wish you guys used Bugzilla so this would have been resolved then. This is a layering violation. Mixed content checking happens in Fetch, which happens as a result of send(). Yes, we can special case a few APIs and do it earlier but in the end that seems like a bad solution. We don't want open() to throw for ever more things. We want it to remain a consistent API. > CORS isn't particularly relevant to either CSP or MIX, is it? Both intend to > block requests before they hit the network; CORS should never have a chance > to take effect. open() threw in some implementations for cross-origin URLs making it harder to introduce CORS. Having open() throw for the URL argument for anything other than parsing reasons is just bad news. -- https://annevankesteren.nl/
Received on Friday, 31 October 2014 07:56:21 UTC