On 10/4/11 4:24 PM, Kenneth Russell wrote:
I don't think that this is a good argument for the currently specified behavior. The server only has the option of declining cross-origin access if the application specified the crossorigin attribute.
A server has the option of declining _all_ non CORS request (e.g. all requests without an Origin header). Servers that care about others getting at their images should do so. Of course that relies on all UAs implementing @crossorigin so that servers can require it when linking to their images... But once we get there, this becomes a quite viable strategy for the server to avoid leaking their images.
-Boris
