- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 10 Jun 2009 14:37:04 +0200
- To: "Ian Hickson" <ian@hixie.ch>, "Thomas Broyer" <t.broyer@gmail.com>, "Adam Barth" <w3c@adambarth.com>
- Cc: public-html <public-html@w3.org>
On Tue, 02 Jun 2009 22:58:22 +0200, Ian Hickson <ian@hixie.ch> wrote: > I dicussed this with Adam and we concluded that the problems involved in > sending the Origin header for GET (namely, leaking intranet host names to > the Internet) are a blocker. This will happen for XMLHttpRequest GET, fwiw. > However, I agree that we need to resolve the above problem also. In > practice I believe that this is actually the same problem as we > have with <video>, namely that there needs to be a way to do the opposite > of what CORS does -- take a resource that would normally be visible to > anyone, and make it only visible same-origin. I was hoping that for cross-origin <video> data opt in we could just use CORS. E.g. the resource specifies Access-Control-Allow-Origin. I was hoping the same for <img> together with <canvas> to be honest. > Thus I believe this is an issue for CORS v2, which I expect will be > addressed in the same timeframe as <video> v3. Mwaha. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 10 June 2009 12:37:53 UTC