- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Mon, 22 Jun 2009 16:15:19 -0400
On Mon, Jun 22, 2009 at 10:43 AM, Brad Kemper<brad.kemper at gmail.com> wrote: > This makes sense to me. I was surprised and found it counter-intuitive to > learn that CORS could be used to list the servers that are allowed access, > but could not and would not restrict access to servers not on that list. Why > not? If the header was added to an image file, it would seem to be a clear > indication of what servers were allowed access or not. Consider the following scenario: 1) Site A hotlinks images from site B 2) Firefox 3.5 implements CORS in a way that allows sites to deny cross-origin requests of images 3) Site B's webmaster hears about this and says "Great, I can stop hotlinking!" and uses it 4) User of site A upgrades to Firefox 3.5, images suddenly break. User gets annoyed and concludes Firefox 3.5 is broken, and switches back to Firefox 3.0 or to a competing browser. I believe that's the major rationale for not permitting cross-origin restrictions on existing media types. The only way this could work is if *all* browsers agreed to implement it all at once, and it would still seriously annoy a lot of users/cause them to delay upgrading/etc., which none of the browser vendors want to do.
Received on Monday, 22 June 2009 13:15:19 UTC