W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

[cors] Incorrect use cases

From: Bert Bos <bert@w3.org>
Date: Tue, 07 Jul 2009 01:07:06 +0200
Message-ID: <4A52839A.8080801@w3.org>
To: public-webapps@w3.org
There are two incorrect use cases in 
http://www.w3.org/TR/2009/WD-cors-20090317/

1) The draft says:

"The xml-stylesheet processing instruction does not allow cross-origin 
loads to prevent data theft (e.g., from intranets)."

This is not true (even without a comma after "loads" :-) ). The Rec[1] 
imposes no restrictions on the URLs of style sheets. Indeed, that would 
be incompatible with the architecture of the Web[4], in which URLs are 
opaque (i.e., you cannot infer any information about the relation 
between two different URLs, even if they differ only by one bit).


2) The draft says:

"The CSS @font-face construct prohibits cross-origin loads."

That is also not true. Neither the Rec[2] nor the latest draft[3] 
contain such a restriction. For the same reason as above.


[1] http://www.w3.org/1999/06/REC-xml-stylesheet-19990629/
[2] http://www.w3.org/TR/2008/REC-CSS2-20080411/
[3] http://www.w3.org/TR/2009/WD-css3-fonts-20090618/
[4] http://www.w3.org/TR/2004/REC-webarch-20041215/#uri-opacity



Bert
-- 
   Bert Bos                                ( W 3 C ) http://www.w3.org/
   http://www.w3.org/people/bos                               W3C/ERCIM
   bert@w3.org                             2004 Rt des Lucioles / BP 93
   +33 (0)4 92 38 76 92            06902 Sophia Antipolis Cedex, France
Received on Monday, 6 July 2009 23:07:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:32 GMT