Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MIX: Drop 'active'/'passive' distinction, limit CORS.
Responding to feedback from Mozilla[1], Cox[2], and others, this change drops the 'active'/'passive' distinction from the document. The concepts are replaced with 'blockable'/'optionally-blockable': the former includes what was previously categorized as 'active' or 'blockable passive', and the latter 'optionally-blockable passive'. At the same time, this change brings in the 'context frame type' concept from Fetch in order to explain what we previously called a 'navigational request context'. This should clarify the algorithms. Finally, we now block mixed requests with a 'mode' of 'CORS' or 'CORS-with-forced-preflight' as a mechanism of further subsetting content types we can't outright block (proposed in [3]). [1]: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0108.html [2]: http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0052.html [3]: http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0049.html
- Loading branch information