- From: Brad Kemper <brad.kemper@gmail.com>
- Date: Sat, 20 Jun 2009 10:05:23 -0700
- To: robert@ocallahan.org
- Cc: Anne van Kesteren <annevk@opera.com>, John Daggett <jdaggett@mozilla.com>, www-style@w3.org
Received on Saturday, 20 June 2009 17:06:05 UTC
On Jun 20, 2009, at 5:15 AM, Robert O'Callahan wrote: > On Sat, Jun 20, 2009 at 11:55 PM, Anne van Kesteren > <annevk@opera.com> wrote: > On Sat, 20 Jun 2009 13:26:19 +0200, Robert O'Callahan <robert@ocallahan.org > > wrote: > On Sat, Jun 20, 2009 at 10:29 PM, Anne van Kesteren > <annevk@opera.com>wrote: > I'm not sure we should have cross-origin restrictions on font loading > though. Mozilla implemented this, but it seems really inconsistent > with > similar APIs, e.g. <img> and <script> > > If we could have cross-origin restrictions on <img> and <script> > without > breaking the Web, we would. > > My point is that since we do not have cross-origin restrictions for > all those various other ways to load resources cross-origin (<link>, > <script>, <img>, <video>, <audio>, <form>, <svg:image>, 'content', > 'background-image', 'list-style-image', 'cursor', and probably more) > it does not make sense to impose such a restriction here. > > I don't think it's valuable to be consistent with a model that is > fundamentally insecure and deprives authors of control over who uses > their resources. > It is valuable to have a single standard for how cross-origin restrictions are handled, whether for images, scripts, fonts, or anything else, and that's what CORS is.
Received on Saturday, 20 June 2009 17:06:05 UTC