RE: css3-fonts: should not dictate usage policy with respect to origin

On Monday, June 20, 2011 2:02 PM John Hudson wrote:
> Vladimir wrote:
> > I believe there may be a need for clarification here: From-Origin (as
> proposed by Anne) or CORS (as it exists today) are both access control
> mechanisms - From-Origin offers a generic way for authors to opt-in for
> origin restrictions for any resource type, while CORS allows to relax
> (i.e. opt-out from) the restriction that is imposed by default. They
> are not alternative solutions to same origin restriction - they both
> complement it by offering a way to relax it.
> That statement is true *if* the default state is same origin
> restriction. That clearly is not the case in today's UAs with regard to
> many resource types. So such a default either must be webfont specific
> or must involve overhaul of how all resource types are currently
> handled, which seems to me very unlikely.

True, and this is why I believe it is important to define what the default initial state is. I'd guess that the default state for many resource types would be "From-Origin=any" but it can also be resource type specific, so there can be cases (e.g. webfonts?) where setting a default to "From-Origin=same" could make sense. It really needs to be looked at from an author point of view and whether a particular default state would make authors' life easier or not.


Received on Monday, 20 June 2011 18:30:02 UTC