W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [cors] Incorrect use cases

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 22 Sep 2009 19:17:45 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Bert Bos" <bert@w3.org>
Cc: public-webapps@w3.org
Message-ID: <op.u0n4zv0h64w2qv@annevk-t60>
On Tue, 07 Jul 2009 02:02:32 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> On Mon, Jul 6, 2009 at 4:07 PM, Bert Bos<bert@w3.org> wrote:
>> There are two incorrect use cases in
>> http://www.w3.org/TR/2009/WD-cors-20090317/
>>
>> 1) The draft says:
>>
>> "The xml-stylesheet processing instruction does not allow cross-origin  
>> loads
>> to prevent data theft (e.g., from intranets)."
>>
>> This is not true [...]
>
> Maybe what we can say here is that many implementations for security
> reasons does not allow XSLT stylesheets to be loaded cross origin.

Done.


>> 2) The draft says:
>>
>> "The CSS @font-face construct prohibits cross-origin loads."
>>
>> That is also not true. Neither the Rec[2] nor the latest draft[3]  
>> contain
>> such a restriction. For the same reason as above.
>
> Yeah, might be a good idea to leave out @font-face given how much in
> flux the formats and security models around @font-face seems to be.

Removed. (I actually changed my mind on this one and think that using CORS  
for this is an abuse of CORS.)


Thanks to you both!


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 22 September 2009 17:18:31 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT