[whatwg] Iframe dimensions

Tab Atkins Jr. jackalmage at gmail.com
Tue Nov 16 10:12:25 PST 2010

On Tue, Nov 16, 2010 at 10:06 AM, Boris Zbarsky <bzbarsky at mit.edu> wrote:
> On 11/16/10 12:56 PM, Tab Atkins Jr. wrote:
>>> - it is applicable at the client side without scripting
>> This is not possible, for the simple reason that the whole point of
>> CORS is to protect server resources.  If you could deal with CORS
>> purely on the client side, you'd be allowing the page author to
>> determine if they themself are allowed to access a file on another
>> server.  That's a pretty obvious inversion of responsibility.  ^_^
> Well, more precisely there is nothing that needs to be done on the client
> side for CORS, right?

Ah, if that's what Markus was getting at, then yes.  CORS requires
*zero* work on the client side, since it's completely done in the
server-browser interaction.  The entirety of the client's interaction
in the process is the initial request for a resource.


More information about the whatwg mailing list