RE: css3-fonts: should not dictate usage policy with respect to origin

On Monday, June 20, 2011 3:30 AM Florian Rivoal wrote:

> The current draft of Anne's proposal[1], which is the solution Opera
> prefers,
> uses MUST when describing how its algorithm should be applied, so we
> are
> fine
> with the mechanism being mandatory.
> Do you see any reason to prefer the same origin policy over From-
> Origin?

I believe there may be a need for clarification here: From-Origin (as proposed by Anne) or CORS (as it exists today) are both access control mechanisms - From-Origin offers a generic way for authors to opt-in for origin restrictions for any resource type, while CORS allows to relax (i.e. opt-out from) the restriction that is imposed by default. They are not alternative solutions to same origin restriction - they both complement it by offering a way to relax it. 

Same origin restriction should really be considered just a default initial state, as it can be relaxed using either of access control mechanisms. <From-Origin=same> would result in the same behavior as currently specified, so it isn't SOR vs. From-Origin or CORS, it's about whether From-Origin is a better way to do it (I believe, yes), and whether a default initial state should be defined (and, again, I believe - yes, it should). 

What is of utmost importance here is that there *is* a normative mechanism in place that gives authors a way to control how the resources they published should be used.

Thank you,

>   - Florian
> [1]

Received on Monday, 20 June 2011 17:16:34 UTC