W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > February 2011

Re: SOR: CORS or From-Origin?

From: Behdad Esfahbod <behdad@google.com>
Date: Thu, 10 Feb 2011 16:16:44 -0500
Message-ID: <AANLkTimzZPSxTV56SkcJt=T-v4MhL7kJnQesg22eijoM@mail.gmail.com>
To: John Daggett <jdaggett@mozilla.com>
Cc: Håkon Wium Lie <howcome@opera.com>, public-webfonts-wg@w3.org, Anne van Kesteren <annevk@opera.com>
Given the discussion going on, I wonder, has it been considered to include a
SOR flag in the WOFF file itself?  That solves both problems in that:

  1) proprietary foundries can include the flag and those WOFF fonts will be
checked for SOR by the browsers,

  2) fonts and non-fonts are not inherently handled differently on the web.
 The SOR check originates from a explicit flag inside the content.

My .02CAD
behdad


On Wed, Feb 9, 2011 at 11:38 PM, John Daggett <jdaggett@mozilla.com> wrote:

> Håkon Wium Lie wrote:
>
> > Same-origin restrictions (SOR), by way of CORS, is described in
> > the current WOFF WD. As we have seen on this list, the use of
> > CORS is seeing some resistance in the web community. I believe
> > it's in the interest of this WG to try address the concerns
> > raised.
>
> I think this is a confusing way of describing the issue with
> same-origin restrictions on fonts.  CORS is a mechanism for
> *relaxing* a same origin restriction, it's not a mechanism to
> *enforce* a same origin restriction.
>
> I think there are two separate issues here:
>
>  1. What should be the default load behavior for cross-origin
>     font requests?
>
>  2. How can authors modify the default behavior?
>
> The existing same-origin restriction for WOFF is that by default
> cross-origin font requests aren't loaded but that this behavior
> can be modified by authors using the CORS mechanism.  What Anne
> is proposing is that by default cross-origin font requests *are*
> loaded, just as images and scripts are loaded.  But authors can
> restrict cross-site usage of *any* resource type by adding an
> appropriate 'From-Origin' header.  The default load behavior is
> the real issue here, the mechanism for relaxing/tightening this
> is more interesting mechanics.
>
> As both Dave and Sylvain have pointed out, removing the default
> load restriction on cross-origin font resources means that
> authors would always need to change response header settings to
> satisfy common licensing requirements for commercial fonts.  If
> cross-origin fonts are restricted by default they wouldn't need
> to do this.
>
> Note that it's also possible to have cross-origin font resources
> restricted by default *and* allow other types to be restricted
> via something like Anne's 'From-Origin' mechanism.  I'm quite
> sure Anne doesn't like that though. ;)
>
> It would be good to get a clear response from Apple as to what
> their position is and the reasoning behind it.
>
> Regards,
>
> John Daggett
>
> cc: Anne
>
>
Received on Thursday, 10 February 2011 21:17:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 February 2011 21:17:37 GMT