The idea is the same as crossdomain.xml in flash -- content can explicitly opt into being shared across domain boundaries.
Our real problem is that there's no way to know whether content is generically available to the Internet, or just you because of IP firewalling / cookies / whatnot. So we have to default to blocking all cross domain reads, since that other domain might be hosting your email. On Sun, Sep 12, 2010 at 7:43 PM, <[email protected]> wrote: > One of my users asked me to install MathJax on my server. > Reading installation instructions in > http://www.mathjax.org/resources/docs/?installation.html#notes-about-shared-installations > I came across the following: > > ... Firefox's same-origin security policy for cross-domain scripting. > Firefox's interpretation of the same-origin policy is more strict than > most other browsers, and it affects how fonts are loaded with the > �...@font-face CSS directive. ... > There is a solution to this, however, if you manage the server ... > create a file called .htaccess that contains the following lines: ... > Header set Access-Control-Allow-Origin "*" > > That would suggest that this same-origin policy can be defeated by > settings on the "evil" server: the policy is not enforced, useless. > Did I misunderstand something? > > (Does not really matter to me, am not planning on using that setting, > but am wondering about Firefox workings.) > > Thanks, > > Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney Australia > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
