- From: Brad Kemper <brad.kemper@gmail.com>
- Date: Tue, 23 Jun 2009 07:28:32 -0700
- To: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Cc: Mikko Rantalainen <mikko.rantalainen@peda.net>, "www-style@w3.org" <www-style@w3.org>, whatwg@whatwg.org
On Jun 22, 2009, at 1:15 PM, Aryeh Gregor wrote: > On Mon, Jun 22, 2009 at 10:43 AM, Brad Kemper<brad.kemper@gmail.com> > wrote: >> This makes sense to me. I was surprised and found it counter- >> intuitive to >> learn that CORS could be used to list the servers that are allowed >> access, >> but could not and would not restrict access to servers not on that >> list. Why >> not? If the header was added to an image file, it would seem to be >> a clear >> indication of what servers were allowed access or not. > > Consider the following scenario: > > 1) Site A hotlinks images from site B > > 2) Firefox 3.5 implements CORS in a way that allows sites to deny > cross-origin requests of images > > 3) Site B's webmaster hears about this and says "Great, I can stop > hotlinking!" and uses it As should be his right. There are some current methods available, but they are cumbersome and heavy handed. > 4) User of site A upgrades to Firefox 3.5, images suddenly break. > User gets annoyed and concludes Firefox 3.5 is broken, and switches > back to Firefox 3.0 or to a competing browser. If site A is using site B's images against the wishes of site A, then it will probably be broken often anyway, because when site B finds out about it, he will change the names or locations of the files, and replace the old ones with pictures to embarrass the content thief. People who frequent sites that are stealing other people's intellectual property should really expect those sites to have problems. Is market share so important that it must serve the needs of the shadiest of operations at the expense of mainstream society? Do software publishers really want their UA's to become known as the browser that allows flagrant copyright violation if other UAs don't? Your reputation is colored by the company you choose to associate with the most. > I believe that's the major rationale for not permitting cross-origin > restrictions on existing media types. The only way this could work is > if *all* browsers agreed to implement it all at once, and it would > still seriously annoy a lot of users/cause them to delay > upgrading/etc., The only people it would annoy would be the subclass that are going to irrefutable sites that illegitimately use the fruits of other people's labors in order to profit or gain for themselves. > which none of the browser vendors want to do.
Received on Tuesday, 23 June 2009 14:29:16 UTC