- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 22 Jun 2009 08:48:17 +0200
- To: François REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>
- Cc: "CSS 3 W3C Group" <www-style@w3.org>
On Mon, 22 Jun 2009 08:17:33 +0200, François REMY <fremycompany_pub@yahoo.fr> wrote: > This is the intent of my request, indeed. I never said a simple header > would provide full restriction. I am not really sure how to explain this in a simple way, but what XMLHttpRequest does is different semantically from what @font-face does. What is protected by the Access-Control-Allow-Origin header (and indeed, by the same-origin restriction on XMLHttpRequest before that) in case of simple requests using the GET method is not the request, but the exposure of the response entity body. This is a vastly different scenario from fonts (and images), where the response entity body is not exposed and therefore does not need protection. (Until you make it more complicated with e.g. <canvas>, but lets not go there.) I do not think that twisting the semantics of Access-Control-Allow-Origin to do other things than the above is a good thing. Especially in the way you seem to be suggesting. I.e. that the presence of the header can somehow have a negative affect compared to it not being there at all. To a lesser extent also as to what Robert is proposing and Gecko is currently doing as it is not about that either. -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 22 June 2009 06:49:01 UTC