W3C home > Mailing lists > Public > www-style@w3.org > June 2009

Re: New work on fonts at W3C

From: Aryeh Gregor <Simetrical+w3c@gmail.com>
Date: Mon, 22 Jun 2009 16:15:19 -0400
Message-ID: <7c2a12e20906221315y4da09bc8q76e1e6b2cc6d7c23@mail.gmail.com>
To: Brad Kemper <brad.kemper@gmail.com>
Cc: Mikko Rantalainen <mikko.rantalainen@peda.net>, "www-style@w3.org" <www-style@w3.org>, whatwg@whatwg.org
On Mon, Jun 22, 2009 at 10:43 AM, Brad Kemper<brad.kemper@gmail.com> wrote:
> This makes sense to me. I was surprised and found it counter-intuitive to
> learn that CORS could be used to list the servers that are allowed access,
> but could not and would not restrict access to servers not on that list. Why
> not? If the header was added to an image file, it would seem to be a clear
> indication of what servers were allowed access or not.

Consider the following scenario:

1) Site A hotlinks images from site B

2) Firefox 3.5 implements CORS in a way that allows sites to deny
cross-origin requests of images

3) Site B's webmaster hears about this and says "Great, I can stop
hotlinking!" and uses it

4) User of site A upgrades to Firefox 3.5, images suddenly break.
User gets annoyed and concludes Firefox 3.5 is broken, and switches
back to Firefox 3.0 or to a competing browser.

I believe that's the major rationale for not permitting cross-origin
restrictions on existing media types.  The only way this could work is
if *all* browsers agreed to implement it all at once, and it would
still seriously annoy a lot of users/cause them to delay
upgrading/etc., which none of the browser vendors want to do.
Received on Monday, 22 June 2009 20:15:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:07:37 UTC