- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 4 Oct 2011 22:35:51 +0000 (UTC)
On Tue, 4 Oct 2011, Anne van Kesteren wrote: > On Tue, 04 Oct 2011 23:15:01 +0200, Boris Zbarsky <bzbarsky at mit.edu> wrote: > > A server has the option of declining _all_ non CORS request (e.g. all > > requests without an Origin header). Servers that care about others > > getting at their images should do so. Of course that relies on all > > UAs implementing @crossorigin so that servers can require it when > > linking to their images... But once we get there, this becomes a quite > > viable strategy for the server to avoid leaking their images. > > I think http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html is > a better strategy for achieving that. The advantage being that only > changes on the server are required. There's no way with this for the server to allow the client to use the image only if the origin is one of a few hundred origins, but not otherwise. (For example, allowing the image to be used by any google.* domain registered by Google, but not any other domain). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 4 October 2011 15:35:51 UTC