Closed Bug 1238007 Opened 8 years ago Closed 8 years ago

XHR should probably fail non-http URLs opened with non-GET methods

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
32 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1063526

People

(Reporter: bkelly, Unassigned)

References

Details

+++ This bug was initially created as a clone of Bug #1205288 +++

Per the current spec XHR should not allow blob URLs using the non-GET methods.  Dimi tested this in bug 1205288 comment 4 and found XHR does allow this.

We should consider blocking this to be conformant, although its also possible this was a recent spec change when XHR was changed over from
I'm not sure what the exact proposal is here, but I'd hate to see a spot-check added for specifically the POST+blob: combination. Explicitly outlawing that but permitting other combinations doesn't seem to benefit anyone.

What I could see is generally forbidding any non-GET methods to protocols that don't setting a method. I.e. to protocols that don't support nsIHttpChannel.
(In reply to Jonas Sicking (:sicking) from comment #1)
> What I could see is generally forbidding any non-GET methods to protocols
> that don't setting a method. I.e. to protocols that don't support
> nsIHttpChannel.

That is roughly what the fetch spec does.  It says to fail non-GET method for blob: and data: which are the only non-http protocols understood by the spec.
Cool, sounds good. The only other thing is that this could break existing webpages. It'd definitely be safer if we got some telemetry before we changed behavior.
Summary: XHR should probably fail blob URLs opened with non-GET methods → XHR should probably fail non-http URLs opened with non-GET methods
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.