- From: Thomas Lord <lord@emf.net>
- Date: Thu, 02 Jul 2009 17:33:37 -0700
- To: "Tab Atkins Jr." <jackalmage@gmail.com>
- Cc: Sylvain Galineau <sylvaing@microsoft.com>, luke whitmore <lwhitmore@gmail.com>, "www-font@w3.org" <www-font@w3.org>
On Thu, 2009-07-02 at 19:19 -0500, Tab Atkins Jr. wrote: > Unless I'm *completely* wrong (and I don't think I am, because Anne > has been very assertive in correcting people about how same-origin and > CORS works), you're wrong. > Same-origin restrictions do not affect the server *at all*. If a > same-origin restriction is in effect, the *browser* enforces it, > *after* receiving the resource from the server. Very briefly: http://www.w3.org/TR/access-control/ 1 Introduction [....] Server-side applications are enabled to discover that an HTTP request was deemed a cross-origin request by the user agent, through the Origin header. This extension enables server-side applications to enforce limitations on the cross-origin requests that they are willing to service. CORS concedes the right of servers to not serve up a given resource and constructs a system in which conforming clients, which we presume most users will use, help to streamline that process to the benefit of both parties. -t
Received on Friday, 3 July 2009 00:34:20 UTC