W3C home > Mailing lists > Public > public-canvas-api@w3.org > April to June 2013

Re: [whatwg] font security on measureText

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 4 May 2013 09:16:38 +0100
Message-ID: <CADnb78gstRYMpOP6VPcbZLaq+smF8VASczvnXfyf_Pmp_FJKPg@mail.gmail.com>
To: Rik Cabanier <cabanier@gmail.com>
Cc: WHATWG <whatwg@whatwg.org>, "public-canvas-api@w3.org" <public-canvas-api@w3.org>
On Fri, May 3, 2013 at 6:25 PM, Rik Cabanier <cabanier@gmail.com> wrote:
> On Fri, May 3, 2013 at 2:23 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> 1. That assumes tainted cross-origin as a fetching mode.
>> http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume
>> it uses CORS.
>
> What do you mean by 'you'?
> The link in Canvas from the WhatWG spec is to the above section

What I'm saying is that the section you're referring to is written
from the perspective of using tainted cross-origin as mode for font
fetching. Which is incorrect per the CSS fonts specification as per
that specification fonts will always be CORS-same-origin with the
document.


> OK. So it seems that the canvas spec should NOT say that the font has to be
> the same origin.
> It should refer to CSS portion that describes this fetching or be silent.

It would not have to say anything.


--
http://annevankesteren.nl/
Received on Saturday, 4 May 2013 08:17:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:31:55 UTC