W3C home > Mailing lists > Public > www-style@w3.org > June 2009

Re: New work on fonts at W3C

From: Brad Kemper <brad.kemper@gmail.com>
Date: Mon, 22 Jun 2009 10:13:30 -0700
Cc: François REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>, "CSS 3 W3C Group" <www-style@w3.org>
Message-Id: <5E27D4F6-8868-417B-A779-80988BCA0BE1@gmail.com>
To: "Anne van Kesteren" <annevk@opera.com>

On Jun 21, 2009, at 11:48 PM, Anne van Kesteren wrote:

> On Mon, 22 Jun 2009 08:17:33 +0200, François REMY <fremycompany_pub@yahoo.fr 
> > wrote:
>> This is the intent of my request, indeed. I never said a simple  
>> header
>> would provide full restriction.
>
> I am not really sure how to explain this in a simple way, but what  
> XMLHttpRequest does is different semantically from what @font-face  
> does. What is protected by the Access-Control-Allow-Origin header  
> (and indeed, by the same-origin restriction on XMLHttpRequest before  
> that) in case of simple requests using the GET method is not the  
> request, but the exposure of the response entity body. This is a  
> vastly different scenario from fonts (and images), where the  
> response entity body is not exposed and therefore does not need  
> protection. (Until you make it more complicated with e.g. <canvas>,  
> but lets not go there.)
>
> I do not think that twisting the semantics of Access-Control-Allow- 
> Origin to do other things than the above is a good thing. Especially  
> in the way you seem to be suggesting. I.e. that the presence of the  
> header can somehow have a negative affect compared to it not being  
> there at all.

Are you saying that there is a technical barrier to having CORS  
provide restrictions instead of just easing restrictions, because it  
would need to prevent a resource from loading instead of just  
preventing it from executing? Or is it more of a philosophical problem  
because that was not the original intent of the standard?
Received on Monday, 22 June 2009 17:14:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:18 GMT