Re: What constitutes protection [was: About using CORS]

On Tue, 04 May 2010 14:16:24 +0900, Sylvain Galineau  
<sylvaing@microsoft.com> wrote:
>> From: Anne van Kesteren [mailto:annevk@opera.com]
>> I explained before that to date we only have had same-origin protection
>> to prevent information leakage. This is consistent across  
>> XMLHttpRequest, <img>, <form>, <video>, <audio>, <script>, <iframe>,  
>> etc. While if we
>> could do things all over again this would likely have been done
>> differently, we cannot. Since there is no information leakage
>> restricting requests to be same-origin is uncalled for and inconsistent
>> with the design principles that are used for the Web platform.
>
> OK, so because CORS was not intended to address this specific use-case,  
> the solution is to invent a new HTTP header that will essentially clone  
> the relevant subset of CORS (simple cross-domain requests, I think) and  
> that header is only to be used in cases where information leakage is not  
> involved. Right ?

Not at all. From-Origin would complement CORS. It allows one to indicate a  
resource can not be used by the requesting party without having to inspect  
the Referer / Origin headers in the request. It does not affect request  
policies at all.


> And that is both consistent 'with the design principles that are used  
> for the Web platform' and preferable to using an existing, working,  
> interoperable approach ?

Using CORS for font requests is not at all interoperable today. Most  
implementations do not use it, in fact. CORS itself is also somewhat in  
the experimental stages still. To this date the WG is still debating  
whether the design should be radically changed, although I do not expect  
it will.


> And once we agree on said solution, browser vendors who have already  
> written their web font code to use CORS will need to write new code and  
> may have to support the current solution for backward compatibility.  
> That seems a very costly route to interop. What are the benefits of such  
> a roadmap for authors ?

What is the roadmap for authors who coded against WebKit or Presto and  
rely on cross-origin fonts without CORS?


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Tuesday, 4 May 2010 05:35:56 UTC