Re: [CORS] What constitutes a "network error"?
On Mon, 26 Jul 2010 08:08:13 +0200, Anne van Kesteren wrote: [...] Okay, I synced the wording with that of XMLHttpRequest. The text is duplicated, but clear. -- Anne van Kesteren http://annevankesteren.nl/
Re: [CORS] What constitutes a "network error"?
On Mon, 26 Jul 2010 07:40:08 +0200, Jonas Sicking wrote: I don't think we would be interfering with HTTP either way. If you cannot see certain response codes certain REST APIs would be impossible to implement I think. Would be great to hear how you are intending to clarify this. I.e. if a 404 response with CORS headers are exposed to the requesting site. Yes, it would be exposed. Similarly for a 204, 410, 503, etc. -- Anne van Kesteren http://annevankesteren.nl/
Re: [CORS] What constitutes a "network error"?
On Sun, Jul 25, 2010 at 2:33 PM, Anne van Kesteren wrote: > On Wed, 21 Jul 2010 23:54:43 +0200, Jonas Sicking wrote: >> >> On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov >> wrote: >>> >>> 20.07.2010, в 14:37, Jonas Sicking написал(а): >>> However I haven't been able to find a clear definition of what counts as a "network error". Does this include successful HTTP requests that return 4xx or 5xx status codes? Or just errors in the lower level of the stack, such as aborted TCP connections? >>> >>> >>> FWIW, I've been always assuming the latter. Blocking 4xx and 5xx >>> responses would mean having a rather unexpected difference between same >>> origin and cross origin XMLHttpRequest (the former lets JS code see such >>> responses). >> >> I'm fairly certain that when we discussed this at the F2F in Redmond, >> we talked about 4xxs aways resulting in failed requests. And that this >> solved some security issues. >> >> However I could be misremembering, or we could have changed our minds >> later. >> >> Definitely would like to hear others speak up. > > I don't remember that to be honest. CORS was always meant as some kind of > layer on top, not interfering with normal HTTP response codes. I do agree I > should clarify that though. I don't think we would be interfering with HTTP either way. Would be great to hear how you are intending to clarify this. I.e. if a 404 response with CORS headers are exposed to the requesting site. / Jonas
Re: [CORS] What constitutes a "network error"?
On Wed, 21 Jul 2010 23:54:43 +0200, Jonas Sicking wrote: On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov wrote: 20.07.2010, в 14:37, Jonas Sicking написал(а): However I haven't been able to find a clear definition of what counts as a "network error". Does this include successful HTTP requests that return 4xx or 5xx status codes? Or just errors in the lower level of the stack, such as aborted TCP connections? FWIW, I've been always assuming the latter. Blocking 4xx and 5xx responses would mean having a rather unexpected difference between same origin and cross origin XMLHttpRequest (the former lets JS code see such responses). I'm fairly certain that when we discussed this at the F2F in Redmond, we talked about 4xxs aways resulting in failed requests. And that this solved some security issues. However I could be misremembering, or we could have changed our minds later. Definitely would like to hear others speak up. I don't remember that to be honest. CORS was always meant as some kind of layer on top, not interfering with normal HTTP response codes. I do agree I should clarify that though. -- Anne van Kesteren http://annevankesteren.nl/
Re: [CORS] What constitutes a "network error"?
On Wed, Jul 21, 2010 at 1:14 PM, Alexey Proskuryakov wrote: > > 20.07.2010, в 14:37, Jonas Sicking написал(а): > >> However I haven't been able to find a clear definition of what counts >> as a "network error". Does this include successful HTTP requests that >> return 4xx or 5xx status codes? Or just errors in the lower level of >> the stack, such as aborted TCP connections? > > > FWIW, I've been always assuming the latter. Blocking 4xx and 5xx responses > would mean having a rather unexpected difference between same origin and > cross origin XMLHttpRequest (the former lets JS code see such responses). I'm fairly certain that when we discussed this at the F2F in Redmond, we talked about 4xxs aways resulting in failed requests. And that this solved some security issues. However I could be misremembering, or we could have changed our minds later. Definitely would like to hear others speak up. / Jonas
Re: [CORS] What constitutes a "network error"?
20.07.2010, в 14:37, Jonas Sicking написал(а): > However I haven't been able to find a clear definition of what counts > as a "network error". Does this include successful HTTP requests that > return 4xx or 5xx status codes? Or just errors in the lower level of > the stack, such as aborted TCP connections? FWIW, I've been always assuming the latter. Blocking 4xx and 5xx responses would mean having a rather unexpected difference between same origin and cross origin XMLHttpRequest (the former lets JS code see such responses). - WBR, Alexey Proskuryakov
[CORS] What constitutes a "network error"?
Hi All, There are a lot of algorithms in the CORS spec that contains steps like: If there is a network error do X However I haven't been able to find a clear definition of what counts as a "network error". Does this include successful HTTP requests that return 4xx or 5xx status codes? Or just errors in the lower level of the stack, such as aborted TCP connections? It would be good to have this clearly defined, preferrably with a link in all the places where it is used as a condition in an algorithm. / Jonas