Anne van Kesteren

Breaking Web Platform Consistency Considered Harmful

Robert O'Callahan dislikes the way web architecture has evolved and proposes that for everything new we do things slightly differently. He argues that the current complexity is hard to understand and that therefore we should have a different approach for everything new, starting with fonts.

I think this is a bad idea and have said so in the past. For better or worse, all APIs within the web platform work on the principle that embedding cross-origin resources is okay, and reading cross-origin resources is not. This means that the img element works cross-origin for instance, as do style sheets. XMLHttpRequest does not work cross-origin as it can read information. A cross-origin img drawn upon a canvas element makes it so that you can no longer get data out of the canvas element. Otherwise you could read cross-origin image data and that is prohibited.

These rules also apply to the CSS 'background', 'content', and other properties. They are why script can be embedded cross-origin (but why you cannot access the raw contents of such scripts, such as comments), and why you can easily embed video on your site.

Despite the consistency we have in the platform today for the most used embedding contexts Robert (and presumably others at Mozilla given that Gecko ships with a different cross-origin policy for fonts) argue that, for what undoubtedly will be the long tail of embedding contexts, we should switch to a different model. It is also purely speculative. We do not know what the future brings. When designing web standards we try to design such that new features are possible in the future, but we never design anticipating something that might never come to be. (Well, the namespaces crowd did, and we all know what a success that is.)

I also very much doubt this helps authors. If it is a feature that came after fonts and has no legacy constraints it follows this model. If it is a feature before that or has some constraints it works pretty much like images and XMLHttpRequest. And unless any of those new theoretical features becomes widely successful authors will always get confused with them, because they work different from the basic tool set.

If the problem here is limiting cross-origin embedding in a more sane way we should do that in a way that also works for the existing embedding contexts. Most authors wish for a simple way to prevent linking to images from a different origin. My From-Origin proposal easily solves that and can work consistently across the platform. With the other approach a different solution for fonts and images is needed. I do not see how that helps.

As a final plea, the web platform is already brittle and inconsistent. The more we tear down what little consistency is left, the harder it will be for people to learn and fully grasp what exactly it is we have here.