Re: Same-origin policies (Re: The other party in all this)

On Mon, Jul 6, 2009 at 2:38 PM, Bert Bos<> wrote:
> On Monday 06 July 2009, Dave Crossland wrote:
>> CORS has a precedent in Firefox, and no one objects to it.
> It's a side discussion, but just to correct that statement: I *do*
> object to a dependency on HTTP.
> The slashes[*] inside an HTTP URL help to abbreviate URLs, but imply
> nothing about who owns the resource. (Akamai would own half the world's
> most popular files, it it were otherwise; and the Internet Archive
> would own the rest.) Additionally, not all URLs are HTTP URLs: think of
> e-mail message identifiers, p2p protocols, ISBN numbers, data URLs,
> etc.
> If it is important to know that font A is licensed for use with document
> B, then that information should stay with the font, no matter where the
> font is copied to: another server, a local hard disk, a CD, a zip file,
> the Internet Archive, Akamai's network, Gnutella, etc. Formats like
> EOT[3], Thomas Lord's multipart files[2], or OpenType with
> modified/extra tables[4,5] make that possible. CORS[1] doesn't (and
> wasn't designed to do so).
> [*] Tim Berners-Lee has said[7] that the mistake he made in HTTP URLs is
> the double slash. Its existence limits the content provider and
> confuses the content consumer. E.g., the EOT URL[3] should have been
> http:/org/w3/www/Submission/EOT/. How much is handled by a DNS server
> and how much by an HTTP server is up to the content provider, no need
> for the client to know that.
> [1]
> [2]
> [3]
> [4]
> [5]
> [7]

While I agree, are you trying to suggest that people think that
CORS/same-origin restrictions carry ownership information with them in
any way?


Received on Monday, 6 July 2009 20:58:29 UTC