W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Semi-public resources in Uniform Messaging

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 8 Dec 2009 19:18:15 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0912081910590.16061@hixie.dreamhostps.com>
http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html

On Tue, 8 Dec 2009, Tyler Close wrote:
> 
> To answer your question, I need a better understanding of what 
> "semi-public" means. At first blush, it sounds a little bit like 
> "semi-pregnant". More inline below...
> 
> On Tue, Dec 8, 2009 at 6:16 AM, Ian Hickson <ian@hixie.ch> wrote:
> >
> > I'm trying to understand this proposal and how it would interact with 
> > Server-sent Events, XBL2, <canvas>/<img>, and <video>:
> 
> We're not proposing changing the existing security model of the <img> 
> tag, since that would break existing sites. A new <img>-like tag that 
> supports UMP might be a good thing to have though.

By "<canvas>/<img>" I mean the ability to disable the cross-origin 
restriction on <canvas>'s .toDataURL() API when cross-origin <img> 
elements are drawImage()'d onto the canvas. This is one of the use cases 
for which CORS was intended to eventually be used.

By "<video>" I mean the ability to disable the cross-origin restriction 
that will be introduced once we add metadata discovery features to 
<video>'s API.


> > How would one label a static resource on an intranet server, e.g.
> >
> >   http://videos.corp.example.com/tgif/2009-12-11.ogg
> >
> > ...such that it can be used by the pages on the following hosts:
> >
> >   http://www.corp.example.com/
> >   http://moma.corp.example.com/
> >   http://tgif.corp.example.com/
> >   http://intranet.example.com/
> >
> > ...but such that it could _not_ be used by pages on the following hosts:
> >
> >   http://hostile-blog.example.com/
> 
> What exactly do you mean by "used"? Do you mean that the blog site
> author cannot obtain the bytes in the OGG file?

I am referring to the ability for those pages to get to the metadata (e.g. 
embedded subtitles) of the video file through a future <video> API.

To recast the question in terms of XMLHttpRequest, how would one label a 
static resource on an intranet server, e.g.:

   http://marketing.corp.example.com/productcodes.xml

...such that it can be read (using XMLHttpRequest) by scripts embedded on 
pages from the following hosts:

   http://www.corp.example.com/
   http://finance.corp.example.com/
   http://eng.corp.example.com/
   http://intranet.example.com/

...but such that it could _not_ be read by pages from the following hosts 
(i.e. the HTTP response would not be made accessible to scripts on pages 
from these hosts):

   http://hostile-blog.example.com/
   http://www.hostile.example/

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 December 2009 19:18:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT