W3C home > Mailing lists > Public > www-style@w3.org > June 2009

Re: New work on fonts at W3C

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 22 Jun 2009 07:51:08 +0200
To: Fran├žois REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>
Cc: "CSS 3 W3C Group" <www-style@w3.org>
Message-ID: <op.uvwvvi0v64w2qv@annevk-t60>
On Sat, 20 Jun 2009 21:47:32 +0200, Fran├žois REMY <fremycompany_pub@yahoo.fr> wrote:
> From: "Anne van Kesteren" <annevk@opera.com>
>> My point is that since we do not have cross-origin restrictions for all
>> those various other ways to load resources cross-origin (<link>,  
>> <script>, <img>, <video>, <audio>, <form>, <svg:image>, 'content',
>> 'background-image', 'list-style-image', 'cursor', and probably more) it
>> does not make sense to impose such a restriction here.
>
> Fully agree. Except if the site provide a X-Allow-... header.

Where is this header defined?


> If such an header is present, urls that don't match the criteria should not be
> allowed to acceed to the ressource. This simple principe could be
> applied on the whole web without having problem with old content,
> that doens't contains the header.
>
> It would be a similar system that what is already done with the
> XMLHttpRequest object, except that if no header is present, the
> ressource (font, image, video) can be used while whit XHR no
> header means no autorisation.
>
> What do you think of it ?

Making it use the same headers as the CORS protocol but with wildly different semantics does not seem like a good idea to me. Also, I'm somewhat skeptical that something which negatively affects clients that implement it when incorrectly used can be successfully deployed.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 22 June 2009 05:51:48 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:18 GMT