- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 26 Apr 2010 16:16:25 +0900
- To: public-webfonts-wg@w3.org
Christopher Slye wrote: > Is there an argument to be made _against_ requiring SOR? If by SOR you mean CORS -- of which the editor's draft can be found at http://dev.w3.org/2006/waf/access-control/ -- I suppose I should explain why I think it is wrong to use it for the scenario it is being considered for here. CORS is meant to lift restrictions that unless otherwise in place would be privacy problems. E.g. reading data from other servers with XMLHttpRequest is not allowed because in the context of the user running the browser such a server might be located on the user's intranet which does authentication based on the user's IP. Allowing evil.com to access such data would be a problem. Similarly cross-origin <img> resources can be manipulated through <canvas> but once such an <img> is painted on the <canvas> it can no longer be extracted as that would be a privacy leak. CORS provides a way to lift these restrictions. Fonts do not need these restrictions. There is no privacy leak when I use a font from another server on my own. There might be a problem if the other server is hijacked and starts serving different glyphs, but CORS is not a solution to such a problem and will do nothing to prevent it. Using CORS as anything else than lifting restrictions put in place for information leakage is an abuse of the protocol in my opinion. If we are concerned with bandwidth usage we should have something that also works for <img>, <video>, etc, not just for fonts. Kind regards, PS: I'm currently not subscribed to public-webfonts-wg@w3.org. -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 26 April 2010 07:17:05 UTC