W3C home > Mailing lists > Public > www-style@w3.org > June 2009

Re: New work on fonts at W3C

From: François REMY <fremycompany_pub@yahoo.fr>
Date: Mon, 22 Jun 2009 08:17:33 +0200
Message-ID: <49060333392E4D5B95331912D4058620@FREMYCOMPANY>
To: "Anne van Kesteren" <annevk@opera.com>, "Robert O'Callahan" <robert@ocallahan.org>
Cc: "CSS 3 W3C Group" <www-style@w3.org>
From: "Anne van Kesteren" <annevk@opera.com>
> On Mon, 22 Jun 2009 08:00:12 +0200, François REMY 
> <fremycompany_pub@yahoo.fr> wrote:
>> From: "Anne van Kesteren" <annevk@opera.com>
>>> Where is this header defined?
>>
>> In the XHR Cross-Site Scripting module, if I remember.
>
> I'm not sure what you mean by that, though as editor of the XMLHttpRequest 
> specifications (and as editor of CORS) I can tell you  there is no 
> X-Allow-... header defined in those specifications.

Sorry, I looked at the specification and you're right. The correct name is : 
Access-Control-Allow-Origin

>>> Making it use the same headers as the CORS protocol but with wildly
>>> different semantics does not seem like a good idea to me. Also, I'm
>>> somewhat skeptical that something which negatively affects clients that
>>> implement it when incorrectly used can be successfully deployed.
>>
>> If they can use if for the XHR, why could they not use it for trying to
>> secure their own documents ?
>
> It is not about restricting. As I said earlier CORS is about _lifting_ a 
> restriction (that is a present e.g. with XMLHttpRequest), not imposing 
> one.

This is the intent of my request, indeed. I never said a simple header would 
provide full restriction.

> -- 
> Anne van Kesteren
> http://annevankesteren.nl/ 
Received on Monday, 22 June 2009 06:18:03 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:18 GMT