- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 04 May 2010 14:34:51 +0900
- To: "John Hudson" <tiro@tiro.com>, "Sylvain Galineau" <sylvaing@microsoft.com>
- Cc: "www-fonts@w3.org" <www-fonts@w3.org>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
On Tue, 04 May 2010 14:16:24 +0900, Sylvain Galineau <sylvaing@microsoft.com> wrote: >> From: Anne van Kesteren [mailto:annevk@opera.com] >> I explained before that to date we only have had same-origin protection >> to prevent information leakage. This is consistent across >> XMLHttpRequest, <img>, <form>, <video>, <audio>, <script>, <iframe>, >> etc. While if we >> could do things all over again this would likely have been done >> differently, we cannot. Since there is no information leakage >> restricting requests to be same-origin is uncalled for and inconsistent >> with the design principles that are used for the Web platform. > > OK, so because CORS was not intended to address this specific use-case, > the solution is to invent a new HTTP header that will essentially clone > the relevant subset of CORS (simple cross-domain requests, I think) and > that header is only to be used in cases where information leakage is not > involved. Right ? Not at all. From-Origin would complement CORS. It allows one to indicate a resource can not be used by the requesting party without having to inspect the Referer / Origin headers in the request. It does not affect request policies at all. > And that is both consistent 'with the design principles that are used > for the Web platform' and preferable to using an existing, working, > interoperable approach ? Using CORS for font requests is not at all interoperable today. Most implementations do not use it, in fact. CORS itself is also somewhat in the experimental stages still. To this date the WG is still debating whether the design should be radically changed, although I do not expect it will. > And once we agree on said solution, browser vendors who have already > written their web font code to use CORS will need to write new code and > may have to support the current solution for backward compatibility. > That seems a very costly route to interop. What are the benefits of such > a roadmap for authors ? What is the roadmap for authors who coded against WebKit or Presto and rely on cross-origin fonts without CORS? -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 4 May 2010 05:35:56 UTC