W3C home > Mailing lists > Public > www-style@w3.org > April 2010

Re: [css3-fonts] same-origin restriction definition

From: Chris Lilley <chris@w3.org>
Date: Wed, 21 Apr 2010 18:57:55 +0200
Message-ID: <149848459.20100421185755@w3.org>
To: John Daggett <jdaggett@mozilla.com>
CC: www-style <www-style@w3.org>
On Monday, April 5, 2010, 10:18:36 AM, John wrote:

JD> Follow-up to Bert's original mail "[css3-fonts] various comments and typos"

JD>   http://lists.w3.org/Archives/Public/www-style/2010Mar/0553.html

JD> Bert Bos wrote:

>> k) Appendix A doesn't seem to belong in this spec. The "same-origin"
>> restriction is also incompatible with W3C's Recommended Web architecture
>> (see, e.g., section 2.5 in "Architecture of the World Wide Web, Volume
>> One" at http://www.w3.org/TR/2004/REC-webarch-20041215/#uri-opacity)

JD> I'm not at all clear why same-origin restrictions are incompatible
JD> with W3C's Recommended Web architecture.

And in particular, it has nothing to do with the URI opacity concept.  Having been involved in writing that section, and again on re-reading it, I don't see the relevance here. There is no introspecting of a URI taking pace which is unlicensed by the relevant specifications.

Instead, the relevant section of webarch seems to be

3.5.2. Linking and access control
http://www.w3.org/TR/2004/REC-webarch-20041215/#id-access

and I don't see anything in conflict there either.

JD>   Same-origin restrictions
JD> exist for scripts, are you saying those are incompatible also?

I would not.

JD> The reason for defining this here is that this spec defines the load
JD> behavior of @font-face and a same-origin restriction affects that.

Good point.

JD> Whether that's required or not is probably an issue to be decided in
JD> conjunction with the newly-formed Web Fonts group but having the
JD> description of this in the same spec where @font-face is defined
JD> certainly makes things easier for authors and implementers.

I agree that discussion will happen there.

Personally the only problem i see in this section is that it is optional. 

"Some user agents implement a ‘same-origin restriction’ ".

That makes it untestable and unreliable. So I would rather see same-origin mandatory as a default (with CORS to relax it).

-- 
 Chris Lilley                    mailto:chris@w3.org
 Technical Director, Interaction Domain
 W3C Graphics Activity Lead
 Co-Chair, W3C Hypertext CG
Received on Wednesday, 21 April 2010 16:58:01 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:26 GMT