Re: [cors] Incorrect use cases

On Mon, Jul 6, 2009 at 4:07 PM, Bert Bos<bert@w3.org> wrote:
> There are two incorrect use cases in
> http://www.w3.org/TR/2009/WD-cors-20090317/
>
> 1) The draft says:
>
> "The xml-stylesheet processing instruction does not allow cross-origin loads
> to prevent data theft (e.g., from intranets)."
>
> This is not true (even without a comma after "loads" :-) ). The Rec[1]
> imposes no restrictions on the URLs of style sheets. Indeed, that would be
> incompatible with the architecture of the Web[4], in which URLs are opaque
> (i.e., you cannot infer any information about the relation between two
> different URLs, even if they differ only by one bit).

Maybe what we can say here is that many implementations for security
reasons does not allow XSLT stylesheets to be loaded cross origin.

> 2) The draft says:
>
> "The CSS @font-face construct prohibits cross-origin loads."
>
> That is also not true. Neither the Rec[2] nor the latest draft[3] contain
> such a restriction. For the same reason as above.

Yeah, might be a good idea to leave out @font-face given how much in
flux the formats and security models around @font-face seems to be.

/ Jonas

Received on Tuesday, 7 July 2009 00:03:37 UTC