- From: Levantovsky, Vladimir <Vladimir.Levantovsky@MonotypeImaging.com>
- Date: Mon, 20 Jun 2011 13:16:07 -0400
- To: Florian Rivoal <florianr@opera.com>, John Hudson <tiro@tiro.com>
- CC: Glenn Adams <glenn@skynav.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Jonathan Kew <jonathan@jfkew.plus.com>, Tab Atkins Jr. <jackalmage@gmail.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
On Monday, June 20, 2011 3:30 AM Florian Rivoal wrote: > > The current draft of Anne's proposal[1], which is the solution Opera > prefers, > uses MUST when describing how its algorithm should be applied, so we > are > fine > with the mechanism being mandatory. > > Do you see any reason to prefer the same origin policy over From- > Origin? > I believe there may be a need for clarification here: From-Origin (as proposed by Anne) or CORS (as it exists today) are both access control mechanisms - From-Origin offers a generic way for authors to opt-in for origin restrictions for any resource type, while CORS allows to relax (i.e. opt-out from) the restriction that is imposed by default. They are not alternative solutions to same origin restriction - they both complement it by offering a way to relax it. Same origin restriction should really be considered just a default initial state, as it can be relaxed using either of access control mechanisms. <From-Origin=same> would result in the same behavior as currently specified, so it isn't SOR vs. From-Origin or CORS, it's about whether From-Origin is a better way to do it (I believe, yes), and whether a default initial state should be defined (and, again, I believe - yes, it should). What is of utmost importance here is that there *is* a normative mechanism in place that gives authors a way to control how the resources they published should be used. Thank you, Vladimir > - Florian > > [1] http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html
Received on Monday, 20 June 2011 17:16:35 UTC