This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 25915 - Cross-origin requests
Summary: Cross-origin requests
Status: RESOLVED FIXED
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: File API (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: ---
Assignee: Arun
QA Contact: public-webapps-bugzilla
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-29 09:53 UTC by Anne
Modified: 2014-06-18 21:07 UTC (History)
1 user (show)

See Also:

Attachments

Description Anne 2014-05-29 09:53:39 UTC 
I'm not sure why http://dev.w3.org/2006/webapi/FileAPI/#cross-origin-requests-on-blobs is included in this specification. That should follow from URL / Fetch, no?

Duplicate requirements are bad.
Comment 1 Arun 2014-05-30 21:31:27 UTC 
(In reply to Anne from comment #0)
> I'm not sure why
> http://dev.w3.org/2006/webapi/FileAPI/#cross-origin-requests-on-blobs is
> included in this specification. That should follow from URL / Fetch, no?
> 
> Duplicate requirements are bad.


You're right. I've fixed this now so that Fetch is normative.
Comment 2 Anne 2014-05-31 07:12:48 UTC 
Now you use must in a non-normative section.
Comment 4 Anne 2014-06-05 08:22:24 UTC 
This still seems wrong. :-(

I think basically you do not want to say anything about cross-origin URLs and let that part of the security model be handled by Fetch.
Comment 5 Arun 2014-06-05 14:57:58 UTC 
(In reply to Anne from comment #4)
> This still seems wrong. :-(
> 
> I think basically you do not want to say anything about cross-origin URLs
> and let that part of the security model be handled by Fetch.


But File API defines the origin and origin policy of Blob URLs, and what requests are legal. It would be weird to be silent on the matter of cross-origin requests. I suppose I could just invoke the Fetch specification.

Also, what "seems wrong?" We already defer to Fetch and URL for most of the dereferencing. This just says that cross-origin requests return with a network error.
Comment 6 Anne 2014-06-05 14:58:48 UTC 
I don't see how that makes sense.

If Fetch defines that, why would we define it again here?
Comment 7 Arun 2014-06-05 15:00:04 UTC 
(In reply to Anne from comment #6)
> I don't see how that makes sense.
> 
> If Fetch defines that, why would we define it again here?

Well, I'm talking about:

http://dev.w3.org/2006/webapi/FileAPI/#requestResponseModel

Should ALL of it be subsumed by Fetch?
Comment 8 Anne 2014-06-05 15:02:49 UTC 
Yeah I think so. Unless you think Fetch should defer to the File API for the extracting bits from a blob bit, but I'm not sure why we would intertwine them like that.
Comment 9 Arun 2014-06-18 21:07:58 UTC 
(In reply to Anne from comment #8)
> Yeah I think so. Unless you think Fetch should defer to the File API for the
> extracting bits from a blob bit, but I'm not sure why we would intertwine
> them like that.


Any FileAPI guidance on request/response when fetching Blob URLs is now non-normative, and I consider it provisional (e.g. can delete finally) when Fetch fully owns Blob URLs as per bug 24338, which is assigned to annevk.

http://dev.w3.org/2006/webapi/FileAPI/#requestResponseModel