- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 8 Dec 2009 19:18:15 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps@w3.org
- Message-ID: <Pine.LNX.4.62.0912081910590.16061@hixie.dreamhostps.com>
https://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html On Tue, 8 Dec 2009, Tyler Close wrote: > > To answer your question, I need a better understanding of what > "semi-public" means. At first blush, it sounds a little bit like > "semi-pregnant". More inline below... > > On Tue, Dec 8, 2009 at 6:16 AM, Ian Hickson <ian@hixie.ch> wrote: > > > > I'm trying to understand this proposal and how it would interact with > > Server-sent Events, XBL2, <canvas>/<img>, and <video>: > > We're not proposing changing the existing security model of the <img> > tag, since that would break existing sites. A new <img>-like tag that > supports UMP might be a good thing to have though. By "<canvas>/<img>" I mean the ability to disable the cross-origin restriction on <canvas>'s .toDataURL() API when cross-origin <img> elements are drawImage()'d onto the canvas. This is one of the use cases for which CORS was intended to eventually be used. By "<video>" I mean the ability to disable the cross-origin restriction that will be introduced once we add metadata discovery features to <video>'s API. > > How would one label a static resource on an intranet server, e.g. > > > > � http://videos.corp.example.com/tgif/2009-12-11.ogg > > > > ...such that it can be used by the pages on the following hosts: > > > > � http://www.corp.example.com/ > > � http://moma.corp.example.com/ > > � http://tgif.corp.example.com/ > > � http://intranet.example.com/ > > > > ...but such that it could _not_ be used by pages on the following hosts: > > > > � http://hostile-blog.example.com/ > > What exactly do you mean by "used"? Do you mean that the blog site > author cannot obtain the bytes in the OGG file? I am referring to the ability for those pages to get to the metadata (e.g. embedded subtitles) of the video file through a future <video> API. To recast the question in terms of XMLHttpRequest, how would one label a static resource on an intranet server, e.g.: http://marketing.corp.example.com/productcodes.xml ...such that it can be read (using XMLHttpRequest) by scripts embedded on pages from the following hosts: http://www.corp.example.com/ http://finance.corp.example.com/ http://eng.corp.example.com/ http://intranet.example.com/ ...but such that it could _not_ be read by pages from the following hosts (i.e. the HTTP response would not be made accessible to scripts on pages from these hosts): http://hostile-blog.example.com/ http://www.hostile.example/ -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 December 2009 19:18:44 UTC