[whatwg] Support for <link rel="stylesheet" crossorigin>
Boris Zbarsky
bzbarsky at MIT.EDU
Tue Aug 28 11:56:30 PDT 2012
On 8/28/12 2:04 PM, Boris Zbarsky wrote:
> An open issue: what to do about @import? I haven't done anything magic
> here yet. Inheriting the CORS mode from the importing sheet is a bit
> weird
Maybe I should explain "weird".
If the CORS mode is inherited from the importing sheet, then I think the
"origin" for the fetch should be the page, not the importing sheet,
since the page is what would get access to the stylesheet data.
Maybe this is OK, but it's non-obvious; usually for security purposes
the importing sheet is what affects things like can-load checks, Referer
headers, etc.
-Boris
More information about the whatwg
mailing list