RE: css3-fonts: should not dictate usage policy with respect to origin

On Wednesday, June 22, 2011 12:06 AM Florian Rivoal wrote:
> 
> I agree the proposals are not that far apart if you only consider
> fonts,
> but there is a little more in favor of From-Origin than purity of
> essence.
> It is a more generic mechanism.
> 

Yes, I agree - From-Origin is a more generic mechanism.

> If we only fix it for fonts, blocking
> by default and allowing to opt out is sane. But if we have a generic
> mechanism that applies to any kinds of resources, allow access and
> allow opt-in restriction is a better default.
> 
> Also, the information leak problem is definitely not unique to fonts,
> and I would find it a shame to pass on a good opportunity to introduce
> a generic mechanism that can solve it for everybody.
>

This goes back to our discussion about consistency. There is nothing that would preclude us from having different defaults introduced for backward compatibility (where absence of From-Origin header would be considered as "From-Origin=any", and for everything else including fonts where absence of the header would be treated as "From-Origin=same"

This would offer the best of both worlds solution - a generic mechanism that is backward compatible and works with all existing resource types, and also the one that requires no extra work for the majority of authors.

Vladimir

Received on Wednesday, 22 June 2011 05:35:23 UTC