- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 23 Jun 2009 17:26:25 +0200
- To: "Brad Kemper" <brad.kemper@gmail.com>
- Cc: "Mikko Rantalainen" <mikko.rantalainen@peda.net>, François REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>, "CSS 3 W3C Group" <www-style@w3.org>
On Tue, 23 Jun 2009 16:16:17 +0200, Brad Kemper <brad.kemper@gmail.com> wrote: > On Jun 23, 2009, at 2:30 AM, Anne van Kesteren wrote: >> Imposing restrictions is something the WG considered to be out of scope >> very early on for reasons I and others already explained. > > The only reasons I've heard have either been absurd, or left requests > for clarification unanswered. > > It seems absurd to me that if a Web site owner indicated that certain > images were not to be used in cross-site linking, that there would be > massive breakage of the Web, [...] That is not the only concern, though even if you disagree a feature that has negative impact when incorrectly used on clients that support it is certainly considered to be problematic by implementors. The other concern is that a simple proxy server can circumvent the limitation in most cases (when credentials are not involved). > [...] presumably because so much of the Web > depends on copyright violation, and violation is more important than > protection. This has nothing to do with it. > [...] I don't see that there is really that much violation going > on though. Either resources are copied outright, or the images are not > intended to be restricted, or the only people that would be effected by > the restrictions are thieves that would be just as foiled (at least > temporarily) by the image owner removing the image or moving it to a > different directory. That hardly sounds to me like something that would > cause massive breakage. No, end users would be affected. > Besides images, a restrictive header could also be used to prevent > illegal iframing of pages, such as what currently aids phishing attacks > and click-jacking. CORS is not a solution for this. (Also, solutions for this particular problem are floating around, but there's no agreement yet on what exactly it should be.) > Blocking ALL cross-site linking to a particular file type and then > turning it off on a case-by-case basis (such as Firefox 3.5 will) is a > much blunter hammer than just letting the site owners determine what > they do and do not want restricted and then honoring that decision. Yeah, as I said I do not really think what Gecko does here is the way to go. >> The WHATWG has nothing to do with CORS. The W3C WebApps WG is working >> on it. If people want to continue debating CORS I suggest they >> subscribe to public-webapps@w3.org and make coherent proposals there. > > I don't care that much about all Web apps, but this one seems to have > particular relevance to the issue here. If the draft of a standard on > resource sharing is going to allow headers that say what sites can > share, but refuse to use those to restrict access from other sites, then > we (site owner/authors/font-licensees and foundries) are forced to look > for some other way. We end up spinning our wheels trying to make CSS or > the font itself restrict access, instead of handling it in the place > that would be most natural. I do not see why fonts ought to get special treatment and cannot be treated just like images, videos, etc. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 23 June 2009 15:27:11 UTC