[whatwg] New work on fonts at W3C

On Mon, Jun 22, 2009 at 10:43 AM, Brad Kemper<brad.kemper at gmail.com> wrote:
> This makes sense to me. I was surprised and found it counter-intuitive to
> learn that CORS could be used to list the servers that are allowed access,
> but could not and would not restrict access to servers not on that list. Why
> not? If the header was added to an image file, it would seem to be a clear
> indication of what servers were allowed access or not.

Consider the following scenario:

1) Site A hotlinks images from site B

2) Firefox 3.5 implements CORS in a way that allows sites to deny
cross-origin requests of images

3) Site B's webmaster hears about this and says "Great, I can stop
hotlinking!" and uses it

4) User of site A upgrades to Firefox 3.5, images suddenly break.
User gets annoyed and concludes Firefox 3.5 is broken, and switches
back to Firefox 3.0 or to a competing browser.

I believe that's the major rationale for not permitting cross-origin
restrictions on existing media types.  The only way this could work is
if *all* browsers agreed to implement it all at once, and it would
still seriously annoy a lot of users/cause them to delay
upgrading/etc., which none of the browser vendors want to do.

Received on Monday, 22 June 2009 13:15:19 UTC