- From: Brad Kemper <brad.kemper@gmail.com>
- Date: Tue, 23 Jun 2009 07:16:17 -0700
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "Mikko Rantalainen" <mikko.rantalainen@peda.net>, François REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>, "CSS 3 W3C Group" <www-style@w3.org>
On Jun 23, 2009, at 2:30 AM, Anne van Kesteren wrote: > On Mon, 22 Jun 2009 19:13:30 +0200, Brad Kemper > <brad.kemper@gmail.com> wrote: >> Are you saying that there is a technical barrier to having CORS >> provide restrictions instead of just easing restrictions, because it >> would need to prevent a resource from loading instead of just >> preventing it from executing? Or is it more of a philosophical >> problem >> because that was not the original intent of the standard? > > Imposing restrictions is something the WG considered to be out of > scope very early on for reasons I and others already explained. The only reasons I've heard have either been absurd, or left requests for clarification unanswered. It seems absurd to me that if a Web site owner indicated that certain images were not to be used in cross-site linking, that there would be massive breakage of the Web, presumably because so much of the Web depends on copyright violation, and violation is more important than protection. I don't see that there is really that much violation going on though. Either resources are copied outright, or the images are not intended to be restricted, or the only people that would be effected by the restrictions are thieves that would be just as foiled (at least temporarily) by the image owner removing the image or moving it to a different directory. That hardly sounds to me like something that would cause massive breakage. Besides images, a restrictive header could also be used to prevent illegal iframing of pages, such as what currently aids phishing attacks and click-jacking. Blocking ALL cross-site linking to a particular file type and then turning it off on a case-by-case basis (such as Firefox 3.5 will) is a much blunter hammer than just letting the site owners determine what they do and do not want restricted and then honoring that decision. > (CORS can be used for images by the way, but not for imposing > restrictions on whether they can be displayed, but whether they can > be round-tripped through <canvas>.) > > I'm not sure why this thread became cc'ed to the WHATWG list by the > way. Neither do I. > The WHATWG has nothing to do with CORS. The W3C WebApps WG is > working on it. If people want to continue debating CORS I suggest > they subscribe to public-webapps@w3.org and make coherent proposals > there. I don't care that much about all Web apps, but this one seems to have particular relevance to the issue here. If the draft of a standard on resource sharing is going to allow headers that say what sites can share, but refuse to use those to restrict access from other sites, then we (site owner/authors/font-licensees and foundries) are forced to look for some other way. We end up spinning our wheels trying to make CSS or the font itself restrict access, instead of handling it in the place that would be most natural.
Received on Tuesday, 23 June 2009 14:16:58 UTC