This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
See also https://bugzilla.mozilla.org/show_bug.cgi?id=701787 https://bugs.webkit.org/show_bug.cgi?id=72154 and WebApps mailing list
So should this also happen for all cross-origin requests that do not use withCredentials as sicking seemed to suggest on the mailing list? Is that what is being implemented?
I'm not sure I understand the question. Here is what I proposed a few days ago and what I still think should be specified: http://lists.w3.org/Archives/Public/public-webapps/2011OctDec/0924.html
That is already defined. The question is whether invoking open() with a cross-origin URL should throw if async is false.
cross-origin XHR has been supported for ages. I don't think we can break it easily.
Oh, crap, I worded that wrong. Yes, I think we should make it throw. We should be able to get data on if that is web compatible.
(In reply to comment #5) > Oh, crap, I worded that wrong. Yes, I think we should make it throw. We should > be able to get data on if that is web compatible. Throw always when cross-origin sync XHR is used? I would be surprised if that doesn't break some websites.
Use of CORS is still fairly new. And use of synchronous CORS requests doesn't work at all cross browser since IE doesn't have a sync mode for XDR. So I think there's a good chance that it would work.
Jonas, Olli, what is your current opinion on this? I can make the specification say this, but if it's not going to be implemented, there's not much point :-)
https://bugzilla.mozilla.org/show_bug.cgi?id=701787 is fixed.
And looks like https://bugs.webkit.org/show_bug.cgi?id=72154 also.
Or do you mean only the CORS part? That is not what this bug is about. I assume it might be too late to change CORS handling.
Thank you Olli! Since the anonymous flag is new I made open() throw for that. The only scenario where you can still do sync requests is same-origin requests and cross-origin requests where you have not set timeout/withCredentials/... Apart from the new thing about the anonymous flag I think the specification matches Gecko now. https://github.com/whatwg/xhr/commit/ac6d9b636bd6d86a9752006e8c34160a215e6fe1 http://xhr.spec.whatwg.org/