W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > February 2011

RE: SOR: CORS or From-Origin?

From: Levantovsky, Vladimir <Vladimir.Levantovsky@MonotypeImaging.com>
Date: Thu, 10 Feb 2011 18:56:10 -0500
To: Sylvain Galineau <sylvaing@microsoft.com>, Håkon Wium Lie <howcome@opera.com>, John Daggett <jdaggett@mozilla.com>
CC: "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, Anne van Kesteren <annevk@opera.com>
Message-ID: <7534F85A589E654EB1E44E5CFDC19E3D0B86FDB470@wob-email-01.agfamonotype.org>
On Thursday, February 10, 2011 12:15 PM Sylvain Galineau wrote:
> 
> [Håkon Wium Lie:]
> > Yes. It's a tradeoff. Slightly more work for font publishers with
> > restrictions -- they would have to add this to their .htaccess file:
> >
> >   <FilesMatch "\.(ttf|TTF|otf|OTF|woff|WOFF)$">
> >   Header set From-Origin same
> >   </FilesMatch>
> 
> That's not work for font publishers, that's work for the guy who
> licensed and paid for the font and now needs to monkey around with
> his HTTP server config to conform to the license. (And assumes he
> has access to .htaccess, which is not always the case e.g. small
> business using a hosting service). Never mind the skills to do it
> correctly and verify that the font is indeed same-origin after the
> change. This also has to be done for every server that may serve
> the font for this domain etc.
> 
> If, on the other hand, browsers enforce same-origin by default, then
> all the author has to do is to put the font in a directory on their
> server and reference it.
> 
> Can we *at least* agree this is a much lower barrier for authors in
> the most general use-case ?
> 

Yes!

> > In return we get a mechanism that the whole web can use, one that
> > also solves privacy concerns.
> 
> Solving the problem generally is always nice, but as the default
> behavior of the general solution conflicts with the smart default
> for fonts it does not really improve on the current solution for
> our purposes. One possible tweak would be to say that resources
> loaded by @font-face should be treated as if From-Origin:same was
> set unless the server sets that header.
> 

I think this could be a very good alternative to CORS. "From Origin" header would work exactly as proposed if present. However, the default behavior can be specified by the WOFF spec that in absence of "From Origin" header must be treated as if "From Origin: same" is set. In my admittedly 'under-educated' opinion, this would resolve all the concerns that Håkon and Anne had presented (i.e. the same "From Origin" header can be used with any other media type "without causing havoc"), and the only difference is that the alternative default behavior is specified by WOFF spec.

As Håkon said, if "From Origin" can be spec'ed quickly, this might be the way to eliminate the dependency on CORS.

Comments?
Vlad
 
Received on Friday, 11 February 2011 00:02:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 11 February 2011 00:02:39 GMT