Re: New work on fonts at W3C

On Mon, 22 Jun 2009 08:00:12 +0200, Fran├žois REMY <> wrote:
> From: "Anne van Kesteren" <>
>> Where is this header defined?
> In the XHR Cross-Site Scripting module, if I remember.

I'm not sure what you mean by that, though as editor of the XMLHttpRequest specifications (and as editor of CORS) I can tell you  there is no X-Allow-... header defined in those specifications.

>> Making it use the same headers as the CORS protocol but with wildly  
>> different semantics does not seem like a good idea to me. Also, I'm  
>> somewhat skeptical that something which negatively affects clients that  
>> implement it when incorrectly used can be successfully deployed.
> If they can use if for the XHR, why could they not use it for trying to  
> secure their own documents ?

It is not about restricting. As I said earlier CORS is about _lifting_ a restriction (that is a present e.g. with XMLHttpRequest), not imposing one.

Anne van Kesteren

Received on Monday, 22 June 2009 06:09:11 UTC