RE: css3-fonts: should not dictate usage policy with respect to origin

On Tuesday, June 21, 2011 1:41 AM Florian Rivoal wrote:
> In the current Form-Origin proposal, From-Origin=any is achieved by not
> having the header. I am not sure I agree that not having this header
> should mean different things for different types of resources.
> Consistency and predictability leads to fewer bugs.

I believe Robert O'Callahan <> and other participants on this tread have presented compelling reasons why unrestricted resource sharing is harmful. Consistency is good in general, but there is a real problem that need to be fixed. We cannot go back and change the way things have been done before, but we sure can learn from it and at least try not to repeat the same mistakes for the sake of consistency. Preserving backward compatibility is important, and Anne's From-Origin proposal addresses this, but if fixing the real problem requires breaking the consistency - this is a small price to pay, IMO. 

Existing Firefox and IE implementations already apply same-origin restriction on any resource that is linked via @font-face, and it seems to work just fine not causing any issues for authors to complain about - for the vast majority of authors it actually eliminates the need to even worry about access control restrictions because the most popular option (using my own resources on my own website) works just fine without any additional effort, and all those who want to hotlink to my resource (leeching the bandwidth I pay for) are out of luck!


Received on Tuesday, 21 June 2011 13:12:37 UTC