Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Which status codes are allowed for various tags such as script, video, audio? #9763

Open
JannisBush opened this issue Sep 20, 2023 · 1 comment
Labels
security/privacy There are security or privacy implications security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. topic: fetch

Comments

@JannisBush
Copy link

Does the HTML standard specifies which status codes are allowed for the different tags? I.e., responses with which codes should result in a "load" event and processing of the response?

Currently, browser behavior diverges for several tags and the behavior for various tags is different as well:

  • script, link-stylesheet: Chromium/WebKit allow 2XX and 3XX without location, Firefox allows only 2XX
  • audio, video: Chromium/WebKit only allow 200, Firefox allows 2XX
  • image: almost every status code is okay in all browsers (Firefox also allows 3XX without a location here)
@annevk
Copy link
Member

annevk commented Sep 26, 2023

For images it seems that Gecko is correct:

Whether the image is fetched successfully or not (e.g. whether the response status was an ok status) must be ignored when determining the image's type and whether it is a valid image.

Though for cross-origin images this will soon depend on ORB as well.

For media responses Chromium/WebKit appear correct per https://html.spec.whatwg.org/#verify-a-media-response. Though Gecko's behavior might be preferable if we generally want to hide 2xx vs 200.

I think script and link-stylesheet are also defined to match Gecko.

@annevk annevk added security/privacy There are security or privacy implications topic: fetch security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. labels Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security/privacy There are security or privacy implications security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. topic: fetch
Development

No branches or pull requests

3 participants
@annevk @JannisBush and others