On Tue, 04 Oct 2011 23:15:01 +0200, Boris Zbarsky <bzbar...@mit.edu> wrote:
A server has the option of declining _all_ non CORS request (e.g. all requests without an Origin header). Servers that care about others getting at their images should do so. Of course that relies on all UAs implementing @crossorigin so that servers can require it when linking to their images... But once we get there, this becomes a quite viable strategy for the server to avoid leaking their images.
I think http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html is a better strategy for achieving that. The advantage being that only changes on the server are required.
-- Anne van Kesteren http://annevankesteren.nl/
