- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 04 Oct 2011 23:25:30 +0200
On Tue, 04 Oct 2011 23:15:01 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote: > A server has the option of declining _all_ non CORS request (e.g. all > requests without an Origin header). Servers that care about others > getting at their images should do so. Of course that relies on all UAs > implementing @crossorigin so that servers can require it when linking to > their images... But once we get there, this becomes a quite viable > strategy for the server to avoid leaking their images. I think http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html is a better strategy for achieving that. The advantage being that only changes on the server are required. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 4 October 2011 14:25:30 UTC