On 11/28/12 11:03 PM, Boris Zbarsky wrote:
Inheriting the mode isn't so bad, all it really does is decide whether or
not to send an Origin header.
Not quite. It also affects what happens when the server doesn't respond
with an appropriate Allow-Origin.
Oh, I see. You've added this "taint" thing, which you're using for the
CSS bit.
I don't believe Gecko has any such concept. We simply fail the load if
the CORS check fails. Furthermore, Gecko's behavior is what the CORS
spec requires: failure to respond properly to a cross-origin CORS
request must be treated like a network error per CORS.
-Boris
