On Tue, 02 Jun 2009 22:58:22 +0200, Ian Hickson <ian@hixie.ch> wrote: > I dicussed this with Adam and we concluded that the problems involved in > sending the Origin header for GET (namely, leaking intranet host names to > the Internet) are a blocker. This will happen for XMLHttpRequest GET, fwiw. > However, I agree that we need to resolve the above problem also. In > practice I believe that this is actually the same problem as we > have with <video>, namely that there needs to be a way to do the opposite > of what CORS does -- take a resource that would normally be visible to > anyone, and make it only visible same-origin. I was hoping that for cross-origin <video> data opt in we could just use CORS. E.g. the resource specifies Access-Control-Allow-Origin. I was hoping the same for <img> together with <canvas> to be honest. > Thus I believe this is an issue for CORS v2, which I expect will be > addressed in the same timeframe as <video> v3. Mwaha. -- Anne van Kesteren http://annevankesteren.nl/Received on Wednesday, 10 June 2009 12:37:53 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:40:34 GMT