Same-origin policies (Re: The other party in all this)

On Monday 06 July 2009, Dave Crossland wrote:

> CORS has a precedent in Firefox, and no one objects to it.

It's a side discussion, but just to correct that statement: I *do* 
object to a dependency on HTTP.

The slashes[*] inside an HTTP URL help to abbreviate URLs, but imply 
nothing about who owns the resource. (Akamai would own half the world's 
most popular files, it it were otherwise; and the Internet Archive 
would own the rest.) Additionally, not all URLs are HTTP URLs: think of 
e-mail message identifiers, p2p protocols, ISBN numbers, data URLs, 

If it is important to know that font A is licensed for use with document 
B, then that information should stay with the font, no matter where the 
font is copied to: another server, a local hard disk, a CD, a zip file, 
the Internet Archive, Akamai's network, Gnutella, etc. Formats like 
EOT[3], Thomas Lord's multipart files[2], or OpenType with 
modified/extra tables[4,5] make that possible. CORS[1] doesn't (and 
wasn't designed to do so).

[*] Tim Berners-Lee has said[7] that the mistake he made in HTTP URLs is 
the double slash. Its existence limits the content provider and 
confuses the content consumer. E.g., the EOT URL[3] should have been 
http:/org/w3/www/Submission/EOT/. How much is handled by a DNS server 
and how much by an HTTP server is up to the content provider, no need 
for the client to know that.


  Bert Bos                                ( W 3 C )                               W3C/ERCIM                             2004 Rt des Lucioles / BP 93
  +33 (0)4 92 38 76 92            06902 Sophia Antipolis Cedex, France

Received on Monday, 6 July 2009 19:39:07 UTC