W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [cors] Incorrect use cases

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 6 Jul 2009 17:02:32 -0700
Message-ID: <63df84f0907061702n1762b9b9tcdc5fdcba38eec43@mail.gmail.com>
To: Bert Bos <bert@w3.org>
Cc: public-webapps@w3.org
On Mon, Jul 6, 2009 at 4:07 PM, Bert Bos<bert@w3.org> wrote:
> There are two incorrect use cases in
> http://www.w3.org/TR/2009/WD-cors-20090317/
>
> 1) The draft says:
>
> "The xml-stylesheet processing instruction does not allow cross-origin loads
> to prevent data theft (e.g., from intranets)."
>
> This is not true (even without a comma after "loads" :-) ). The Rec[1]
> imposes no restrictions on the URLs of style sheets. Indeed, that would be
> incompatible with the architecture of the Web[4], in which URLs are opaque
> (i.e., you cannot infer any information about the relation between two
> different URLs, even if they differ only by one bit).

Maybe what we can say here is that many implementations for security
reasons does not allow XSLT stylesheets to be loaded cross origin.

> 2) The draft says:
>
> "The CSS @font-face construct prohibits cross-origin loads."
>
> That is also not true. Neither the Rec[2] nor the latest draft[3] contain
> such a restriction. For the same reason as above.

Yeah, might be a good idea to leave out @font-face given how much in
flux the formats and security models around @font-face seems to be.

/ Jonas
Received on Tuesday, 7 July 2009 00:03:37 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:32 GMT