W3C home > Mailing lists > Public > www-style@w3.org > June 2009

Re: New work on fonts at W3C

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 22 Jun 2009 08:48:17 +0200
To: Fran├žois REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>
Cc: "CSS 3 W3C Group" <www-style@w3.org>
Message-ID: <op.uvwyiryl64w2qv@annevk-t60>
On Mon, 22 Jun 2009 08:17:33 +0200, Fran├žois REMY <fremycompany_pub@yahoo.fr> wrote:
> This is the intent of my request, indeed. I never said a simple header  
> would provide full restriction.

I am not really sure how to explain this in a simple way, but what XMLHttpRequest does is different semantically from what @font-face does. What is protected by the Access-Control-Allow-Origin header (and indeed, by the same-origin restriction on XMLHttpRequest before that) in case of simple requests using the GET method is not the request, but the exposure of the response entity body. This is a vastly different scenario from fonts (and images), where the response entity body is not exposed and therefore does not need protection. (Until you make it more complicated with e.g. <canvas>, but lets not go there.)

I do not think that twisting the semantics of Access-Control-Allow-Origin to do other things than the above is a good thing. Especially in the way you seem to be suggesting. I.e. that the presence of the header can somehow have a negative affect compared to it not being there at all.

To a lesser extent also as to what Robert is proposing and Gecko is currently doing as it is not about that either.

Anne van Kesteren
Received on Monday, 22 June 2009 06:49:01 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 12:34:27 UTC