- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 30 May 2013 14:52:27 +0100
- To: "Robert O'Callahan" <robert@ocallahan.org>
- Cc: Dirk Schulze <dschulze@adobe.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, "public-fx@w3.org" <public-fx@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Daniel Holbert <dholbert@mozilla.com>, Philip Rogers <pdr@google.com>
On Thu, May 30, 2013 at 2:34 PM, Robert O'Callahan <robert@ocallahan.org> wrote: > OK then, I think we'd have to use a regular non-CORS request and apply > strict same-origin checking at time of use. And on redirects? There's a same-origin mode for that. You could make that CORS as well though if that's the default anyway. > We could however mint a "cors-url(...)" CSS image value which does a CORS > fetch and completely fails for cross-origin loads. You want to succeed for cross-origin fetches if they opt into CORS, no? But I'm not sure cors-url() is needed. It's only needed if the default is tainted cross-origin fetches. -- http://annevankesteren.nl/
Received on Thursday, 30 May 2013 13:53:01 UTC