On Wed, 21 Jul 2010 23:54:43 +0200, Jonas Sicking <jo...@sicking.cc> wrote:
On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov <a...@webkit.org>
wrote:
20.07.2010, в 14:37, Jonas Sicking написал(а):
However I haven't been able to find a clear definition of what counts
as a "network error". Does this include successful HTTP requests that
return 4xx or 5xx status codes? Or just errors in the lower level of
the stack, such as aborted TCP connections?
FWIW, I've been always assuming the latter. Blocking 4xx and 5xx
responses would mean having a rather unexpected difference between same
origin and cross origin XMLHttpRequest (the former lets JS code see
such responses).
I'm fairly certain that when we discussed this at the F2F in Redmond,
we talked about 4xxs aways resulting in failed requests. And that this
solved some security issues.
However I could be misremembering, or we could have changed our minds
later.
Definitely would like to hear others speak up.
I don't remember that to be honest. CORS was always meant as some kind of
layer on top, not interfering with normal HTTP response codes. I do agree
I should clarify that though.
--
Anne van Kesteren
http://annevankesteren.nl/
