W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > February 2011

Re: SOR: CORS or From-Origin?

From: Behdad Esfahbod <behdad@google.com>
Date: Thu, 10 Feb 2011 17:25:23 -0500
Message-ID: <AANLkTikQfCzG01oEf5ag6KdKFvTp4ekPHx5Yxc3G6Kma@mail.gmail.com>
To: Tab Atkins <tabatkins@google.com>
Cc: liam@w3.org, public-webfonts-wg@w3.org
On Thu, Feb 10, 2011 at 5:20 PM, Tab Atkins <tabatkins@google.com> wrote:

> On Thu, Feb 10, 2011 at 2:17 PM, Behdad Esfahbod <behdad@google.com>
> wrote:
> > On Thu, Feb 10, 2011 at 5:05 PM, Tab Atkins <tabatkins@google.com>
> wrote:
> >> On Thu, Feb 10, 2011 at 1:51 PM, Behdad Esfahbod <behdad@google.com>
> >> wrote:
> >> > On Thu, Feb 10, 2011 at 4:32 PM, Liam R E Quin <liam@w3.org> wrote:
> >> >>
> >> >> On Thu, 2011-02-10 at 16:16 -0500, Behdad Esfahbod wrote:
> >> >> > Given the discussion going on, I wonder, has it been considered to
> >> >> > include a
> >> >> > SOR flag in the WOFF file itself?
> >> >>
> >> >> By the time you've got the font in order to check the flag, it's too
> >> >> late for the server to refuse to send it, no?
> >> >
> >> > No.  This is exactly like the current proposed SOR, which is also
> >> > client-side.  This is not about the server refusing to serve.  You can
> >> > always download the font using "wget", and the current SOR mechanism
> >> > would
> >> > help there either.  It's about the font not working on other people's
> >> > website.
> >>
> >> You must be misunderstanding something in the proposal, because you're
> >> incorrect here.
> >
> > Ok, let me correct myself: what I propose is *functionally* equivalent to
> > the current SOR.  In that in both cases, another domain linking to the
> font
> > will NOT work.  In both cases, people can download the font still,
> because
> > SOR does not restrict the server from serving.
>
> Indeed, it's the same in those contexts.  But it doesn't save any
> bandwidth for the original author, which is one of the nice benefits
> of preventing hot-linking through SOR.  This is a significant
> difference.
>

But if it doesn't work, one would hope that people are not going to use it.

Lets not mix (hypothetical) bandwidth savings with the license requirements.
 Reading the thread it looks like the SOR requirement is necessary for
license enforcement reasons.

behdad


> ~TJ
>
Received on Thursday, 10 February 2011 22:26:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 February 2011 22:26:15 GMT