Re: [cors] Incorrect use cases

On Tue, 07 Jul 2009 02:02:32 +0200, Jonas Sicking <> wrote:
> On Mon, Jul 6, 2009 at 4:07 PM, Bert Bos<> wrote:
>> There are two incorrect use cases in
>> 1) The draft says:
>> "The xml-stylesheet processing instruction does not allow cross-origin  
>> loads
>> to prevent data theft (e.g., from intranets)."
>> This is not true [...]
> Maybe what we can say here is that many implementations for security
> reasons does not allow XSLT stylesheets to be loaded cross origin.


>> 2) The draft says:
>> "The CSS @font-face construct prohibits cross-origin loads."
>> That is also not true. Neither the Rec[2] nor the latest draft[3]  
>> contain
>> such a restriction. For the same reason as above.
> Yeah, might be a good idea to leave out @font-face given how much in
> flux the formats and security models around @font-face seems to be.

Removed. (I actually changed my mind on this one and think that using CORS  
for this is an abuse of CORS.)

Thanks to you both!

Anne van Kesteren

Received on Tuesday, 22 September 2009 17:18:31 UTC