Re: EOT-Lite File Format v.1.1

On Fri, Jul 31, 2009 at 3:11 PM, Sylvain Galineau<> wrote:
>>From: Tab Atkins Jr. []
>>That is indeed what I had missed.  I was still running under the
>>assumption that the rootstring bytes could be present, but were merely
>>classified as padding in EOTL.  My question is invalid if even the EOT
>>version of the header (where that 'padding' is meaningful data) can't
>>contain rootstrings.
>>Thanks, Sylvain.
> Yeah. I've stated about a dozen times the current proposal stores no rootstrings but
> since Lord was of course the main recipient it was most likely - and wisely -
> skipped as part of the persistent background noise :)

Nah, I heard it, it was just misunderstood.  Even in the earlier ideas
which reused a version of EOT with rootstrings, an EOTL still
officially has no rootstrings - it just has padding.  I was
interpreting you to basically be saying that, thus the mutual
confusion when we talked past each other.

> Vlad and Roc, however, have stated their preference for preserving the rootstring option
> for IE use only e.g. to allow authors to comply with EULA same-origin mandates. As
> I don't have EULAs to look at, and the very impractical nature of rootstrings was one
> of the main arguments against the EOT restriction model, the feature is effectively gone
> for the time being. Not just disabled or ignored but absent.

Well, there's a big difference technically between a single
same-origin rootstring that is used only to serve the file to legacy
clients, and a permanent rootstring facility that must be employed to
serve it to *all* clients.  The first isn't as important if it fails.

The mental difference between a temporary hack for down-level clients
and an enshrined portion of a spec is even greater.

> Of course, this means that IE<=8 may enable hotlinking if server-side measures similar
> to those used for other resource types are not in place. I'm looking into what checks,
> if any, were done for this version of the format...

Yup, this is why being *capable* of embedding a rootstring for
downlevel clients is useful - it's relatively easy to employ in a
limited fashion for downlevel clients, it's just really annoying to
have to deal with all across one's toolchain.  Foundries that don't
place that kind of responsibility on the client can ignore it
entirely, and once IE<=8 share drops enough it won't be worth worrying
about (any more than the fact that wget, etc. can simply ignore
same-origin restrictions if they choose).


Received on Friday, 31 July 2009 20:21:20 UTC