- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 8 Dec 2009 19:18:15 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps@w3.org
- Message-ID: <Pine.LNX.4.62.0912081910590.16061@hixie.dreamhostps.com>
http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html On Tue, 8 Dec 2009, Tyler Close wrote: > > To answer your question, I need a better understanding of what > "semi-public" means. At first blush, it sounds a little bit like > "semi-pregnant". More inline below... > > On Tue, Dec 8, 2009 at 6:16 AM, Ian Hickson <ian@hixie.ch> wrote: > > > > I'm trying to understand this proposal and how it would interact with > > Server-sent Events, XBL2, <canvas>/<img>, and <video>: > > We're not proposing changing the existing security model of the <img> > tag, since that would break existing sites. A new <img>-like tag that > supports UMP might be a good thing to have though. By "<canvas>/<img>" I mean the ability to disable the cross-origin restriction on <canvas>'s .toDataURL() API when cross-origin <img> elements are drawImage()'d onto the canvas. This is one of the use cases for which CORS was intended to eventually be used. By "<video>" I mean the ability to disable the cross-origin restriction that will be introduced once we add metadata discovery features to <video>'s API. > > How would one label a static resource on an intranet server, e.g. > > > > http://videos.corp.example.com/tgif/2009-12-11.ogg > > > > ...such that it can be used by the pages on the following hosts: > > > > http://www.corp.example.com/ > > http://moma.corp.example.com/ > > http://tgif.corp.example.com/ > > http://intranet.example.com/ > > > > ...but such that it could _not_ be used by pages on the following hosts: > > > > http://hostile-blog.example.com/ > > What exactly do you mean by "used"? Do you mean that the blog site > author cannot obtain the bytes in the OGG file? I am referring to the ability for those pages to get to the metadata (e.g. embedded subtitles) of the video file through a future <video> API. To recast the question in terms of XMLHttpRequest, how would one label a static resource on an intranet server, e.g.: http://marketing.corp.example.com/productcodes.xml ...such that it can be read (using XMLHttpRequest) by scripts embedded on pages from the following hosts: http://www.corp.example.com/ http://finance.corp.example.com/ http://eng.corp.example.com/ http://intranet.example.com/ ...but such that it could _not_ be read by pages from the following hosts (i.e. the HTTP response would not be made accessible to scripts on pages from these hosts): http://hostile-blog.example.com/ http://www.hostile.example/ -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 December 2009 19:18:44 UTC