For example, open() must throw SECURITY_ERR if the method argument is "CONNECT", "TRACE", or "TRACK". But our implementation doesn't check the value "CONNECT" and it will throw non spec'ed error.
This bug might as well be a dupe of bug 918688. The specific issue mentioned passes now, as tested in http://w3c-test.org/XMLHttpRequest/open-method-insecure.htm .
Just a ping to confirm whether this ticket can be closed as a dupe, as per comment 1.
IMHO it's slightly non-kosher to mark a bug as a dupe of a META bug. On the other hand, this is clearly a dupe of bug 918709 so I suggest you close it as such :)
Fair enough :)
Ooops, I need to put the ddn on the correct bug, not this dupe. Fixing.