W3C home > Mailing lists > Public > www-style@w3.org > June 2009

Re: New work on fonts at W3C

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 22 Jun 2009 08:08:25 +0200
To: Fran├žois REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>
Cc: "CSS 3 W3C Group" <www-style@w3.org>
Message-ID: <op.uvwwoblw64w2qv@annevk-t60>
On Mon, 22 Jun 2009 08:00:12 +0200, Fran├žois REMY <fremycompany_pub@yahoo.fr> wrote:
> From: "Anne van Kesteren" <annevk@opera.com>
>> Where is this header defined?
> In the XHR Cross-Site Scripting module, if I remember.

I'm not sure what you mean by that, though as editor of the XMLHttpRequest specifications (and as editor of CORS) I can tell you  there is no X-Allow-... header defined in those specifications.

>> Making it use the same headers as the CORS protocol but with wildly  
>> different semantics does not seem like a good idea to me. Also, I'm  
>> somewhat skeptical that something which negatively affects clients that  
>> implement it when incorrectly used can be successfully deployed.
> If they can use if for the XHR, why could they not use it for trying to  
> secure their own documents ?

It is not about restricting. As I said earlier CORS is about _lifting_ a restriction (that is a present e.g. with XMLHttpRequest), not imposing one.

Anne van Kesteren
Received on Monday, 22 June 2009 06:09:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:07:37 UTC