W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > February 2011

Re: SOR: CORS or From-Origin?

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 16 Feb 2011 11:31:35 -0800
Cc: Håkon Wium Lie <howcome@opera.com>, John Daggett <jdaggett@mozilla.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, Anne van Kesteren <annevk@opera.com>
Message-id: <50319B0F-B1A5-499F-A7EA-C816549F38FA@apple.com>
To: Sylvain Galineau <sylvaing@microsoft.com>

On Feb 10, 2011, at 9:15 AM, Sylvain Galineau wrote:

> [Håkon Wium Lie:]
>> Yes. It's a tradeoff. Slightly more work for font publishers with
>> restrictions -- they would have to add this to their .htaccess file:
>>  <FilesMatch "\.(ttf|TTF|otf|OTF|woff|WOFF)$">
>>  Header set From-Origin same
>>  </FilesMatch>
> That's not work for font publishers, that's work for the guy who
> licensed and paid for the font and now needs to monkey around with
> his HTTP server config to conform to the license. (And assumes he
> has access to .htaccess, which is not always the case e.g. small 
> business using a hosting service). Never mind the skills to do it
> correctly and verify that the font is indeed same-origin after the
> change. This also has to be done for every server that may serve 
> the font for this domain etc.  

Previously, it was argued that CORS to opt into sharing is a low burden, since adding a fixed request header is much easier than checking an incoming response header. If it is indeed easy for content authors to add fixed response headers (and I do believe that is the case), then it is not an undue burden to do this to restrict font hotlinking. Any Web server and just about any hosting provider makes it very simple to add a fixed header for a specific file or all files with an extension. Content authors and hosting providers even have a selfish motive to do this, since it protects their bandwidth.

Received on Wednesday, 16 February 2011 19:32:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:34:15 UTC