On Jun 21, 2009, at 11:48 PM, Anne van Kesteren wrote: > On Mon, 22 Jun 2009 08:17:33 +0200, François REMY <fremycompany_pub@yahoo.fr > > wrote: >> This is the intent of my request, indeed. I never said a simple >> header >> would provide full restriction. > > I am not really sure how to explain this in a simple way, but what > XMLHttpRequest does is different semantically from what @font-face > does. What is protected by the Access-Control-Allow-Origin header > (and indeed, by the same-origin restriction on XMLHttpRequest before > that) in case of simple requests using the GET method is not the > request, but the exposure of the response entity body. This is a > vastly different scenario from fonts (and images), where the > response entity body is not exposed and therefore does not need > protection. (Until you make it more complicated with e.g. <canvas>, > but lets not go there.) > > I do not think that twisting the semantics of Access-Control-Allow- > Origin to do other things than the above is a good thing. Especially > in the way you seem to be suggesting. I.e. that the presence of the > header can somehow have a negative affect compared to it not being > there at all. Are you saying that there is a technical barrier to having CORS provide restrictions instead of just easing restrictions, because it would need to prevent a resource from loading instead of just preventing it from executing? Or is it more of a philosophical problem because that was not the original intent of the standard?
Received on Monday, 22 June 2009 17:14:06 UTC