10322 2010-08-09 12:13:48 +0000 open() should not throw for non same-origin URL 2011-12-20 19:44:13 +0000 1 1 1 Unclassified WebAppsWG XHR unspecified PC All RESOLVED FIXED P2 normal --- 1 annevk annevk mike public-webapps public-webapps-bugzilla oldest_to_newest 37296 0 annevk 2010-08-09 12:13:48 +0000 At the moment XMLHttpRequest Level 1 prescribes that open() invoked with a non same-origin URL should throw. This is incompatible with XMLHttpRequest Level 2. Instead we should align with XMLHttpRequest Level 2 (and some implementations) and treat non same-origin URLs as a network error during the request phase (i.e. after send() is invoked). This gives a better migration path towards CORS and allows us to test this requirement in browsers that implement (parts of) XMLHttpRequest Level 2. Along with this we should then also start throwing when the user/password arguments of open() are non-null for a non same-origin URL as XMLHttpRequest Level 2 does that as well. 37930 1 annevk 2010-08-26 13:04:45 +0000 Please carefully review the new text. This was rather tricky.