- From: Mikko Rantalainen <mikko.rantalainen@peda.net>
- Date: Mon, 22 Jun 2009 14:12:27 +0300
Anne van Kesteren wrote: > On Sat, 20 Jun 2009 17:07:06 +0200, Brad Kemper <brad.kemper at gmail.com> > wrote: >> I didn't mean it should be restricted by default. Just that CORS could >> restrict it like anything else if you told it to. And that the font >> could instruct the CORS mechanism. > > That's not how CORS works. CORS is not about restricting at all. It is > about lifting cross-origin restrictions if any are present. If there are > no restrictions to start with (which I think makes sense for consistency > as I pointed out though it seems not everyone agrees) CORS cannot impose > any. Perhaps CORS could further defined to use following rules: 1) without CORS same-origin restrictions may or may not apply depending on the resource type or user agent (with XHR it does apply, with IMG SRC attribute it does not apply) 2) with CORS, the same-origin restrictions always apply and in addition to same-origin, any entity listed in CORS may use the resource This way CORS could be expanded to apply to XML, CSS, images, videos and font files. This would change to status of CORS somewhat - it would still only allow lifting cross-origin restrictions but a mere presence of it would suggest to user agent that same-origin checks should be done. If enough user agents started following the hints given with CORS it could be used as a pseudo-restriction (I would consider this a label and fence as used in this font discussion.) -- Mikko -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090622/a1d08128/attachment.pgp>
Received on Monday, 22 June 2009 04:12:27 UTC