W3C home > Mailing lists > Public > public-css-archive@w3.org > May 2017

Re: [csswg-drafts] [css-shapes] Reconsider CORS limitation in CSS Shapes

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 May 2017 23:49:58 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-305040961-1496188197-sysbot+gh@w3.org>
And long experience has taught us that, most of the time, there's no clever way to avoid exposing data like this. It's ban or nothing.

> It seems this happens when working locally, when it's not a crossdomain situation at all.

Browsers have different treatment of local files. In particular, I think Chrome treats sibling files/folders as cross-domain.  This sucks for local dev, but it's required because of how people download things; when sibling files are treated same-domain, it means *your entire Downloads folder* is accessible to any .html page that can convince you to download and run it.  Safari treats this differently, I think.

Like I said, this sucks, but the only way to reliably do local dev is to start a local server.  There are a lot of turn-key solutions for this.

---

End result is that, while I understand the ergonomic problems with it, I'll hard-reject any attempt to loosen the restrictions.  CORS should have applied to *every* resource on the web from the beginning, and we're doing fairly decently at applying it to new ways of fetching resources.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/1481#issuecomment-305040961 using your GitHub account
Received on Tuesday, 30 May 2017 23:50:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 10:12:54 UTC