W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2017

Re: [csswg-drafts] [css-shapes] Reconsider CORS limitation in CSS Shapes

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 May 2017 23:49:58 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-305040961-1496188197-sysbot+gh@w3.org>
And long experience has taught us that, most of the time, there's no clever way to avoid exposing data like this. It's ban or nothing.

> It seems this happens when working locally, when it's not a crossdomain situation at all.

Browsers have different treatment of local files. In particular, I think Chrome treats sibling files/folders as cross-domain.  This sucks for local dev, but it's required because of how people download things; when sibling files are treated same-domain, it means *your entire Downloads folder* is accessible to any .html page that can convince you to download and run it.  Safari treats this differently, I think.

Like I said, this sucks, but the only way to reliably do local dev is to start a local server.  There are a lot of turn-key solutions for this.


End result is that, while I understand the ergonomic problems with it, I'll hard-reject any attempt to loosen the restrictions.  CORS should have applied to *every* resource on the web from the beginning, and we're doing fairly decently at applying it to new ways of fetching resources.

GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305040961 using your GitHub account
Received on Tuesday, 30 May 2017 23:50:06 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:13 UTC