W3C home > Mailing lists > Public > www-style@w3.org > June 2009

Re: New work on fonts at W3C

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 22 Jun 2009 08:48:17 +0200
To: Fran├žois REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>
Cc: "CSS 3 W3C Group" <www-style@w3.org>
Message-ID: <op.uvwyiryl64w2qv@annevk-t60>
On Mon, 22 Jun 2009 08:17:33 +0200, Fran├žois REMY <fremycompany_pub@yahoo.fr> wrote:
> This is the intent of my request, indeed. I never said a simple header  
> would provide full restriction.

I am not really sure how to explain this in a simple way, but what XMLHttpRequest does is different semantically from what @font-face does. What is protected by the Access-Control-Allow-Origin header (and indeed, by the same-origin restriction on XMLHttpRequest before that) in case of simple requests using the GET method is not the request, but the exposure of the response entity body. This is a vastly different scenario from fonts (and images), where the response entity body is not exposed and therefore does not need protection. (Until you make it more complicated with e.g. <canvas>, but lets not go there.)

I do not think that twisting the semantics of Access-Control-Allow-Origin to do other things than the above is a good thing. Especially in the way you seem to be suggesting. I.e. that the presence of the header can somehow have a negative affect compared to it not being there at all.

To a lesser extent also as to what Robert is proposing and Gecko is currently doing as it is not about that either.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 22 June 2009 06:49:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:18 GMT