On Wed Sep 17 18:59:45 2025 +0000, Gabriel Ivăncescu wrote:
Yeah, it's supposed to only allow http URLs. I also skipped relative URLs since I wasn't sure how to handle them. And yes it's specific to XDR, IIRC rationale given on some Microsoft blog was that it needs the response headers to see if it allows cross origin and that's http specific. (obviously this was before XHR supported cross-domain requests) Note that if I remove it, one of the tests will have to be turned into todo.
The quoted rationale would explain why it would be allowed only on http document URLs, but here you check request URL, so I don't see how it's relevant.
Ad-hoc parsing or comparing URLs is rarely a good idea. A valid absolute URL may have "//" part missing or a relative URL may have "://" as part of the query. We'd probably need to use `IUri` interface to combine URLs and then perform checks on it if we really need them.
The rest of the logic seems questionable. Are you sure we don't want to allow https XDRs from http documents? We don't want to allow things like file protocol, but that's not specific to XDR.