Re: New work on fonts at W3C

On Sat, 20 Jun 2009 21:47:32 +0200, Fran├žois REMY <> wrote:
> From: "Anne van Kesteren" <>
>> My point is that since we do not have cross-origin restrictions for all
>> those various other ways to load resources cross-origin (<link>,  
>> <script>, <img>, <video>, <audio>, <form>, <svg:image>, 'content',
>> 'background-image', 'list-style-image', 'cursor', and probably more) it
>> does not make sense to impose such a restriction here.
> Fully agree. Except if the site provide a X-Allow-... header.

Where is this header defined?

> If such an header is present, urls that don't match the criteria should not be
> allowed to acceed to the ressource. This simple principe could be
> applied on the whole web without having problem with old content,
> that doens't contains the header.
> It would be a similar system that what is already done with the
> XMLHttpRequest object, except that if no header is present, the
> ressource (font, image, video) can be used while whit XHR no
> header means no autorisation.
> What do you think of it ?

Making it use the same headers as the CORS protocol but with wildly different semantics does not seem like a good idea to me. Also, I'm somewhat skeptical that something which negatively affects clients that implement it when incorrectly used can be successfully deployed.

Anne van Kesteren

Received on Monday, 22 June 2009 05:51:48 UTC