- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 23 Jan 2008 17:25:17 -0800
- To: Ian Hickson <ian@hixie.ch>
- CC: Mark Nottingham <mnot@yahoo-inc.com>, "WAF WG (public)" <public-appformats@w3.org>
Ian Hickson wrote: > favicon.ico is a per-domain policy that is only available due to a legacy > proprietary extension; it causes untold problems (e.g. it doubles the load > on some of my sites due to bugs in how browsers cache 404 responses for > this resource), and it has per-resource ways of being specified instead > (including using HTTP headers). FWIW, the favicon.ico problems I don't think really applies here. The reason that it adds a lot of load is that normal browsing on the site causes requests to favicon.ico, however access-control policy checks will only happen if someone explicitly makes a cross-site request to your site. However there is no incentive for anyone to do so since such requests will fail. Basically for the same reason you're not getting any 404s about any other random URI, i.e. there is no reason for anyone to request it, you wouldn't get any requests to an access-control magic-uri either. That said, I do agree with your other points. And I don't see how we could use a magic-uri solution while still fulfilling requirement 3 in the ED. / Jonas
Received on Thursday, 24 January 2008 01:26:38 UTC