- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 11 Mar 2011 12:25:59 -0500
On 3/11/11 11:56 AM, Tab Atkins Jr. wrote: > I suspect it wouldn't be too difficult to do this better - we can know > ahead of time whether the window contains any cross-origin resources > that aren't cleared by CORS. There are lots of loads that can be cross-origin but aren't subject to CORS at the moment (so browsers don't track whether they're cross-origin): images, subframes, backgrounds, fonts all come to mind. For backgrounds and fonts there's the additional complication that there are more than two origins involved: 1) The origin of the page. 2) The origin of the stylesheet url the page was trying to load. 3) The origin of the stylesheet. 4) The origin of the url the stylesheet links to. 5) The origin of the font or background. One could argue that #2 and #4 are not relevant here (though they are in other contexts at times; e.g. for <script>). That still leaves 1,3,5, whose interaction would need to be defined. -Boris
Received on Friday, 11 March 2011 09:25:59 UTC