The spec says:
""At runtime, when a network request is made from within the widget
execution scope, the user agent matches it against the rules defined
above, accepting it if it matches and blocking it if it doesn't."""
However, *blocking* is not defined. This has lead to inconstant behavior
across user agents. Some engines throw a SECURITY_ERR and shut down the
scripting environment, while others behave as if the resource could not
be loaded.
Blocking needs to be properly defined if we are going to get any
interop... particularly what it means to block http/https resources.
