RE: SOR: CORS or From-Origin?

On Thursday, February 10, 2011 7:07 PM David Singer wrote:
> 
> On Feb 10, 2011, at 15:56 , Levantovsky, Vladimir wrote:
> >
> > I think this could be a very good alternative to CORS. "From Origin"
> header would work exactly as proposed if present. However, the default
> behavior can be specified by the WOFF spec that in absence of "From
> Origin" header must be treated as if "From Origin: same" is set. In my
> admittedly 'under-educated' opinion, this would resolve all the
> concerns that Håkon and Anne had presented (i.e. the same "From Origin"
> header can be used with any other media type "without causing havoc"),
> and the only difference is that the alternative default behavior is
> specified by WOFF spec.
> >
> > As Håkon said, if "From Origin" can be spec'ed quickly, this might be
> the way to eliminate the dependency on CORS.
> >
> > Comments?
> 
> I think there may be some opposition to a type-specific rule (e.g. "for
> files with the type WOFF"), and some discussion of the alternative
> link-specific rule ("for files linked from CSS font-face").  My
> understanding is that at least some of the current implementations of
> CORS/SOR are in fact, not type-specific but link-specific.
> 

I agree. I am not advocating type-specific rule, and would be very much in favor of link-specific rule as it is currently implemented by Firefox and IE9, and spec'ed in the WOFF spec. The only difference would be that we would drop a reference to CORS, adopting instead a "From Origin" header proposal from Anne and Håkon, and, like Sylvain proposed, specifying the default behavior to be the one where absence of the "From Origin" header would be treated as if "From Origin: same" is present - for all types of resources linked to Web documents using CSS @font-face rules.

Regards,
Vlad

Received on Friday, 11 February 2011 15:01:28 UTC