Re: New work on fonts at W3C

On Jun 21, 2009, at 11:48 PM, Anne van Kesteren wrote:

> On Mon, 22 Jun 2009 08:17:33 +0200, François REMY < 
> > wrote:
>> This is the intent of my request, indeed. I never said a simple  
>> header
>> would provide full restriction.
> I am not really sure how to explain this in a simple way, but what  
> XMLHttpRequest does is different semantically from what @font-face  
> does. What is protected by the Access-Control-Allow-Origin header  
> (and indeed, by the same-origin restriction on XMLHttpRequest before  
> that) in case of simple requests using the GET method is not the  
> request, but the exposure of the response entity body. This is a  
> vastly different scenario from fonts (and images), where the  
> response entity body is not exposed and therefore does not need  
> protection. (Until you make it more complicated with e.g. <canvas>,  
> but lets not go there.)
> I do not think that twisting the semantics of Access-Control-Allow- 
> Origin to do other things than the above is a good thing. Especially  
> in the way you seem to be suggesting. I.e. that the presence of the  
> header can somehow have a negative affect compared to it not being  
> there at all.

Are you saying that there is a technical barrier to having CORS  
provide restrictions instead of just easing restrictions, because it  
would need to prevent a resource from loading instead of just  
preventing it from executing? Or is it more of a philosophical problem  
because that was not the original intent of the standard?

Received on Monday, 22 June 2009 17:14:06 UTC