14773 2011-11-11 19:03:19 +0000 Investigate if synchronous XHR in window context should not support new XHR responseTypes 2012-10-11 11:15:31 +0000 1 1 1 Unclassified WebAppsWG XHR unspecified PC All RESOLVED FIXED P2 normal --- 1 bugs annevk jonas mike public-webapps public-webapps-bugzilla oldest_to_newest 59914 0 bugs 2011-11-11 19:03:19 +0000 See also https://bugzilla.mozilla.org/show_bug.cgi?id=701787 https://bugs.webkit.org/show_bug.cgi?id=72154 and WebApps mailing list 60471 1 annevk 2011-11-25 08:48:21 +0000 So should this also happen for all cross-origin requests that do not use withCredentials as sicking seemed to suggest on the mailing list? Is that what is being implemented? 60517 2 jonas 2011-11-27 01:44:07 +0000 I'm not sure I understand the question. Here is what I proposed a few days ago and what I still think should be specified: http://lists.w3.org/Archives/Public/public-webapps/2011OctDec/0924.html 60518 3 annevk 2011-11-27 01:47:49 +0000 That is already defined. The question is whether invoking open() with a cross-origin URL should throw if async is false. 60519 4 bugs 2011-11-27 02:00:38 +0000 cross-origin XHR has been supported for ages. I don't think we can break it easily. 60520 5 jonas 2011-11-27 06:00:19 +0000 Oh, crap, I worded that wrong. Yes, I think we should make it throw. We should be able to get data on if that is web compatible. 60524 6 bugs 2011-11-27 19:38:19 +0000 (In reply to comment #5) > Oh, crap, I worded that wrong. Yes, I think we should make it throw. We should > be able to get data on if that is web compatible. Throw always when cross-origin sync XHR is used? I would be surprised if that doesn't break some websites. 60529 7 jonas 2011-11-28 06:33:55 +0000 Use of CORS is still fairly new. And use of synchronous CORS requests doesn't work at all cross browser since IE doesn't have a sync mode for XDR. So I think there's a good chance that it would work. 75956 8 annevk 2012-10-11 10:03:18 +0000 Jonas, Olli, what is your current opinion on this? I can make the specification say this, but if it's not going to be implemented, there's not much point :-) 75959 9 bugs 2012-10-11 10:09:41 +0000 https://bugzilla.mozilla.org/show_bug.cgi?id=701787 is fixed. 75960 10 bugs 2012-10-11 10:10:22 +0000 And looks like https://bugs.webkit.org/show_bug.cgi?id=72154 also. 75961 11 bugs 2012-10-11 10:11:47 +0000 Or do you mean only the CORS part? That is not what this bug is about. I assume it might be too late to change CORS handling. 75965 12 annevk 2012-10-11 11:15:31 +0000 Thank you Olli! Since the anonymous flag is new I made open() throw for that. The only scenario where you can still do sync requests is same-origin requests and cross-origin requests where you have not set timeout/withCredentials/... Apart from the new thing about the anonymous flag I think the specification matches Gecko now. https://github.com/whatwg/xhr/commit/ac6d9b636bd6d86a9752006e8c34160a215e6fe1 http://xhr.spec.whatwg.org/