Re: What constitutes protection [was: About using CORS]

On Tue, 04 May 2010 12:44:58 +0900, Sylvain Galineau  
<sylvaing@microsoft.com> wrote:
> Where, why and how does it clash ? If a browser does a simple  
> cross-domain request as specified by CORS for font resources, how does  
> that conflict with the 'existing design for same-origin policy' ?

I explained before that to date we only have had same-origin protection to  
prevent information leakage. This is consistent across XMLHttpRequest,  
<img>, <form>, <video>, <audio>, <script>, <iframe>, etc. While if we  
could do things all over again this would likely have been done  
differently, we cannot. Since there is no information leakage restricting  
requests to be same-origin is uncalled for and inconsistent with the  
design principles that are used for the Web platform.

Of course we can change the principles and make an exception, but I do not  
feel it is justified.

(It is probably not worth going further on the "fonts are like images"  
theme. I do not think you are right that I lack some kind of knowledge I  
could have acquired by participating more. I have studied the subject to  
quite some extent since the day David Hyatt implemented @font-face support  
in WebKit in a couple of days. I think we simply disagree.)


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Tuesday, 4 May 2010 04:20:16 UTC