On Sat, 20 Jun 2009 21:47:32 +0200, François REMY <fremycompany_pub@yahoo.fr> wrote: > From: "Anne van Kesteren" <annevk@opera.com> >> My point is that since we do not have cross-origin restrictions for all >> those various other ways to load resources cross-origin (<link>, >> <script>, <img>, <video>, <audio>, <form>, <svg:image>, 'content', >> 'background-image', 'list-style-image', 'cursor', and probably more) it >> does not make sense to impose such a restriction here. > > Fully agree. Except if the site provide a X-Allow-... header. Where is this header defined? > If such an header is present, urls that don't match the criteria should not be > allowed to acceed to the ressource. This simple principe could be > applied on the whole web without having problem with old content, > that doens't contains the header. > > It would be a similar system that what is already done with the > XMLHttpRequest object, except that if no header is present, the > ressource (font, image, video) can be used while whit XHR no > header means no autorisation. > > What do you think of it ? Making it use the same headers as the CORS protocol but with wildly different semantics does not seem like a good idea to me. Also, I'm somewhat skeptical that something which negatively affects clients that implement it when incorrectly used can be successfully deployed. -- Anne van Kesteren http://annevankesteren.nl/Received on Monday, 22 June 2009 05:51:48 UTC
This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:07:37 UTC