- From: Levantovsky, Vladimir <Vladimir.Levantovsky@MonotypeImaging.com>
- Date: Mon, 20 Jun 2011 14:29:33 -0400
- To: John Hudson <tiro@tiro.com>
- CC: Florian Rivoal <florianr@opera.com>, Glenn Adams <glenn@skynav.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Jonathan Kew <jonathan@jfkew.plus.com>, Tab Atkins Jr. <jackalmage@gmail.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
On Monday, June 20, 2011 2:02 PM John Hudson wrote: > > Vladimir wrote: > > > I believe there may be a need for clarification here: From-Origin (as > proposed by Anne) or CORS (as it exists today) are both access control > mechanisms - From-Origin offers a generic way for authors to opt-in for > origin restrictions for any resource type, while CORS allows to relax > (i.e. opt-out from) the restriction that is imposed by default. They > are not alternative solutions to same origin restriction - they both > complement it by offering a way to relax it. > > That statement is true *if* the default state is same origin > restriction. That clearly is not the case in today's UAs with regard to > many resource types. So such a default either must be webfont specific > or must involve overhaul of how all resource types are currently > handled, which seems to me very unlikely. > True, and this is why I believe it is important to define what the default initial state is. I'd guess that the default state for many resource types would be "From-Origin=any" but it can also be resource type specific, so there can be cases (e.g. webfonts?) where setting a default to "From-Origin=same" could make sense. It really needs to be looked at from an author point of view and whether a particular default state would make authors' life easier or not. Vladimir
Received on Monday, 20 June 2011 18:30:02 UTC