[cors] Incorrect use cases

There are two incorrect use cases in 

1) The draft says:

"The xml-stylesheet processing instruction does not allow cross-origin 
loads to prevent data theft (e.g., from intranets)."

This is not true (even without a comma after "loads" :-) ). The Rec[1] 
imposes no restrictions on the URLs of style sheets. Indeed, that would 
be incompatible with the architecture of the Web[4], in which URLs are 
opaque (i.e., you cannot infer any information about the relation 
between two different URLs, even if they differ only by one bit).

2) The draft says:

"The CSS @font-face construct prohibits cross-origin loads."

That is also not true. Neither the Rec[2] nor the latest draft[3] 
contain such a restriction. For the same reason as above.

[1] http://www.w3.org/1999/06/REC-xml-stylesheet-19990629/
[2] http://www.w3.org/TR/2008/REC-CSS2-20080411/
[3] http://www.w3.org/TR/2009/WD-css3-fonts-20090618/
[4] http://www.w3.org/TR/2004/REC-webarch-20041215/#uri-opacity

   Bert Bos                                ( W 3 C ) http://www.w3.org/
   http://www.w3.org/people/bos                               W3C/ERCIM
   bert@w3.org                             2004 Rt des Lucioles / BP 93
   +33 (0)4 92 38 76 92            06902 Sophia Antipolis Cedex, France

Received on Monday, 6 July 2009 23:07:42 UTC