- From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
- Date: Tue, 30 May 2017 23:49:58 +0000
- To: public-css-archive@w3.org
And long experience has taught us that, most of the time, there's no clever way to avoid exposing data like this. It's ban or nothing. > It seems this happens when working locally, when it's not a crossdomain situation at all. Browsers have different treatment of local files. In particular, I think Chrome treats sibling files/folders as cross-domain. This sucks for local dev, but it's required because of how people download things; when sibling files are treated same-domain, it means *your entire Downloads folder* is accessible to any .html page that can convince you to download and run it. Safari treats this differently, I think. Like I said, this sucks, but the only way to reliably do local dev is to start a local server. There are a lot of turn-key solutions for this. --- End result is that, while I understand the ergonomic problems with it, I'll hard-reject any attempt to loosen the restrictions. CORS should have applied to *every* resource on the web from the beginning, and we're doing fairly decently at applying it to new ways of fetching resources. -- GitHub Notification of comment by tabatkins Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305040961 using your GitHub account
Received on Tuesday, 30 May 2017 23:50:06 UTC