Re: Cross-Origin Resource Embedding Restrictions

On Tue, Mar 1, 2011 at 3:33 PM, Nathan <> wrote:
> (rather than controlled only "by user agents which choose to follow the specs" offering
> an artificial screen).

If user agents deliberately ignore the specs to allow embedding where
authors don't want it to, they can do it with any model--Referer,
Origin, From-Origin, etc.  They all depend on UA cooperation.

In practice, as long as most browsers support it and enable it by
default, that's enough to discourage people from embedding resources
from sites that don't want them to.

> However, on this specific draft, is there any chance you can move to a
> white-list/black-list model, where people can send either Allow-Origin or
> Deny-Origin, for instance in many scenarios I want to allow everyone except
> origins A and B who I know consistently "steal" bandwidth, or display my
> resources beside unsavoury ones.

Sending whitelists in a header makes sense to me, but sending
blacklists with every request doesn't scale--such a list could easily
end up having dozens of entries, bloating the headers for every
request.  You may not actually want to expose your entire blacklist to
the public, either.

Blacklisting does seem like a fair use case, though; it often makes
sense to want to block particularly abusive sites, without blocking

Glenn Maynard

Received on Tuesday, 1 March 2011 21:11:32 UTC