Re: New work on fonts at W3C

From: "Anne van Kesteren" <annevk@opera.com>
Sent: Monday, June 22, 2009 7:51 AM
To: "François REMY" <fremycompany_pub@yahoo.fr>; "Robert O'Callahan" 
<robert@ocallahan.org>
Cc: "CSS 3 W3C Group" <www-style@w3.org>
Subject: Re: New work on fonts at W3C

> On Sat, 20 Jun 2009 21:47:32 +0200, François REMY 
> <fremycompany_pub@yahoo.fr> wrote:
>> From: "Anne van Kesteren" <annevk@opera.com>
>>> My point is that since we do not have cross-origin restrictions for all
>>> those various other ways to load resources cross-origin (<link>,
>>> <script>, <img>, <video>, <audio>, <form>, <svg:image>, 'content',
>>> 'background-image', 'list-style-image', 'cursor', and probably more) it
>>> does not make sense to impose such a restriction here.
>>
>> Fully agree. Except if the site provide a X-Allow-... header.
>
> Where is this header defined?

In the XHR Cross-Site Scripting module, if I remember.

>
>> If such an header is present, urls that don't match the criteria should 
>> not be
>> allowed to acceed to the ressource. This simple principe could be
>> applied on the whole web without having problem with old content,
>> that doens't contains the header.
>>
>> It would be a similar system that what is already done with the
>> XMLHttpRequest object, except that if no header is present, the
>> ressource (font, image, video) can be used while whit XHR no
>> header means no autorisation.
>>
>> What do you think of it ?
>
> Making it use the same headers as the CORS protocol but with wildly 
> different semantics does not seem like a good idea to me. Also, I'm 
> somewhat skeptical that something which negatively affects clients that 
> implement it when incorrectly used can be successfully deployed.

If they can use if for the XHR, why could they not use it for trying to 
secure their own documents ?

>
>
> -- 
> Anne van Kesteren
> http://annevankesteren.nl/

Received on Monday, 22 June 2009 06:00:45 UTC