This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
At the moment XMLHttpRequest Level 1 prescribes that open() invoked with a non same-origin URL should throw. This is incompatible with XMLHttpRequest Level 2. Instead we should align with XMLHttpRequest Level 2 (and some implementations) and treat non same-origin URLs as a network error during the request phase (i.e. after send() is invoked). This gives a better migration path towards CORS and allows us to test this requirement in browsers that implement (parts of) XMLHttpRequest Level 2. Along with this we should then also start throwing when the user/password arguments of open() are non-null for a non same-origin URL as XMLHttpRequest Level 2 does that as well.
Please carefully review the new text. This was rather tricky.