On Tue, 07 Jul 2009 02:02:32 +0200, Jonas Sicking <[email protected]> wrote:
On Mon, Jul 6, 2009 at 4:07 PM, Bert Bos<[email protected]> wrote:
There are two incorrect use cases in
http://www.w3.org/TR/2009/WD-cors-20090317/
1) The draft says:
"The xml-stylesheet processing instruction does not allow cross-origin
loads
to prevent data theft (e.g., from intranets)."
This is not true [...]
Maybe what we can say here is that many implementations for security
reasons does not allow XSLT stylesheets to be loaded cross origin.
Done.
2) The draft says:
"The CSS @font-face construct prohibits cross-origin loads."
That is also not true. Neither the Rec[2] nor the latest draft[3]
contain
such a restriction. For the same reason as above.
Yeah, might be a good idea to leave out @font-face given how much in
flux the formats and security models around @font-face seems to be.
Removed. (I actually changed my mind on this one and think that using CORS
for this is an abuse of CORS.)
Thanks to you both!
--
Anne van Kesteren
http://annevankesteren.nl/
