10322 – open() should not throw for non same-origin URL

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 10322 - open() should not throw for non same-origin URL

Summary: open() should not throw for non same-origin URL

Status:	RESOLVED FIXED

Alias:	None

Product:	WebAppsWG
Classification:	Unclassified
Component:	XHR (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Anne
QA Contact:	public-webapps-bugzilla

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-08-09 12:13 UTC by Anne
Modified:	2011-12-20 19:44 UTC (History)
CC List:	2 users (show)

See Also:

Attachments

Description Anne 2010-08-09 12:13:48 UTC

At the moment XMLHttpRequest Level 1 prescribes that open() invoked with a non same-origin URL should throw. This is incompatible with XMLHttpRequest Level 2.

Instead we should align with XMLHttpRequest Level 2 (and some implementations) and treat non same-origin URLs as a network error during the request phase (i.e. after send() is invoked). This gives a better migration path towards CORS and allows us to test this requirement in browsers that implement (parts of) XMLHttpRequest Level 2.

Along with this we should then also start throwing when the user/password arguments of open() are non-null for a non same-origin URL as XMLHttpRequest Level 2 does that as well.

Comment 1 Anne 2010-08-26 13:04:45 UTC

Please carefully review the new text. This was rather tricky.