- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 22 Sep 2009 19:17:45 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>, "Bert Bos" <bert@w3.org>
- Cc: public-webapps@w3.org
On Tue, 07 Jul 2009 02:02:32 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > On Mon, Jul 6, 2009 at 4:07 PM, Bert Bos<bert@w3.org> wrote: >> There are two incorrect use cases in >> http://www.w3.org/TR/2009/WD-cors-20090317/ >> >> 1) The draft says: >> >> "The xml-stylesheet processing instruction does not allow cross-origin >> loads >> to prevent data theft (e.g., from intranets)." >> >> This is not true [...] > > Maybe what we can say here is that many implementations for security > reasons does not allow XSLT stylesheets to be loaded cross origin. Done. >> 2) The draft says: >> >> "The CSS @font-face construct prohibits cross-origin loads." >> >> That is also not true. Neither the Rec[2] nor the latest draft[3] >> contain >> such a restriction. For the same reason as above. > > Yeah, might be a good idea to leave out @font-face given how much in > flux the formats and security models around @font-face seems to be. Removed. (I actually changed my mind on this one and think that using CORS for this is an abuse of CORS.) Thanks to you both! -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 22 September 2009 17:18:31 UTC