- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 04 Oct 2011 17:15:01 -0400
On 10/4/11 4:24 PM, Kenneth Russell wrote: > I don't think that this is a good argument for the currently specified > behavior. The server only has the option of declining cross-origin > access if the application specified the crossorigin attribute. A server has the option of declining _all_ non CORS request (e.g. all requests without an Origin header). Servers that care about others getting at their images should do so. Of course that relies on all UAs implementing @crossorigin so that servers can require it when linking to their images... But once we get there, this becomes a quite viable strategy for the server to avoid leaking their images. -Boris
Received on Tuesday, 4 October 2011 14:15:01 UTC