- From: Brad Kemper <brad.kemper@gmail.com>
- Date: Mon, 22 Jun 2009 13:23:03 -0700
- To: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Cc: Mikko Rantalainen <mikko.rantalainen@peda.net>, "www-style@w3.org" <www-style@w3.org>, "whatwg@whatwg.org" <whatwg@whatwg.org>
So your argument, in effect, is that site owners should not be allowed to restrict their content, because it might actually work? Or because older browsers and browsers that have yet to implement the standard could be used for the same sort of IP pirating as today? Sent from my iPhone On Jun 22, 2009, at 1:15 PM, Aryeh Gregor <Simetrical+w3c@gmail.com> wrote: > On Mon, Jun 22, 2009 at 10:43 AM, Brad Kemper<brad.kemper@gmail.com> > wrote: >> This makes sense to me. I was surprised and found it counter- >> intuitive to >> learn that CORS could be used to list the servers that are allowed >> access, >> but could not and would not restrict access to servers not on that >> list. Why >> not? If the header was added to an image file, it would seem to be >> a clear >> indication of what servers were allowed access or not. > > Consider the following scenario: > > 1) Site A hotlinks images from site B > > 2) Firefox 3.5 implements CORS in a way that allows sites to deny > cross-origin requests of images > > 3) Site B's webmaster hears about this and says "Great, I can stop > hotlinking!" and uses it > > 4) User of site A upgrades to Firefox 3.5, images suddenly break. > User gets annoyed and concludes Firefox 3.5 is broken, and switches > back to Firefox 3.0 or to a competing browser. > > I believe that's the major rationale for not permitting cross-origin > restrictions on existing media types. The only way this could work is > if *all* browsers agreed to implement it all at once, and it would > still seriously annoy a lot of users/cause them to delay > upgrading/etc., which none of the browser vendors want to do.
Received on Monday, 22 June 2009 20:23:53 UTC