W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > February 2011

Re: SOR: CORS or From-Origin?

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 16 Feb 2011 11:38:22 -0800
Cc: John Daggett <jdaggett@mozilla.com>, Håkon Wium Lie <howcome@opera.com>, public-webfonts-wg@w3.org, Anne van Kesteren <annevk@opera.com>
Message-id: <3329636C-44E0-41B4-A4A4-9294F26522AA@apple.com>
To: Behdad Esfahbod <behdad@google.com>

That would be painful to implement. The layers of the browser that decide whether to apply same-origin restrictions happen before any parsing of the format.

 - Maciej

On Feb 10, 2011, at 1:16 PM, Behdad Esfahbod wrote:

> Given the discussion going on, I wonder, has it been considered to include a SOR flag in the WOFF file itself?  That solves both problems in that:
> 
>   1) proprietary foundries can include the flag and those WOFF fonts will be checked for SOR by the browsers,
> 
>   2) fonts and non-fonts are not inherently handled differently on the web.  The SOR check originates from a explicit flag inside the content.
> 
> My .02CAD
> behdad
> 
> 
> On Wed, Feb 9, 2011 at 11:38 PM, John Daggett <jdaggett@mozilla.com> wrote:
> Håkon Wium Lie wrote:
> 
> > Same-origin restrictions (SOR), by way of CORS, is described in
> > the current WOFF WD. As we have seen on this list, the use of
> > CORS is seeing some resistance in the web community. I believe
> > it's in the interest of this WG to try address the concerns
> > raised.
> 
> I think this is a confusing way of describing the issue with
> same-origin restrictions on fonts.  CORS is a mechanism for
> *relaxing* a same origin restriction, it's not a mechanism to
> *enforce* a same origin restriction.
> 
> I think there are two separate issues here:
> 
>  1. What should be the default load behavior for cross-origin
>     font requests?
> 
>  2. How can authors modify the default behavior?
> 
> The existing same-origin restriction for WOFF is that by default
> cross-origin font requests aren't loaded but that this behavior
> can be modified by authors using the CORS mechanism.  What Anne
> is proposing is that by default cross-origin font requests *are*
> loaded, just as images and scripts are loaded.  But authors can
> restrict cross-site usage of *any* resource type by adding an
> appropriate 'From-Origin' header.  The default load behavior is
> the real issue here, the mechanism for relaxing/tightening this
> is more interesting mechanics.
> 
> As both Dave and Sylvain have pointed out, removing the default
> load restriction on cross-origin font resources means that
> authors would always need to change response header settings to
> satisfy common licensing requirements for commercial fonts.  If
> cross-origin fonts are restricted by default they wouldn't need
> to do this.
> 
> Note that it's also possible to have cross-origin font resources
> restricted by default *and* allow other types to be restricted
> via something like Anne's 'From-Origin' mechanism.  I'm quite
> sure Anne doesn't like that though. ;)
> 
> It would be good to get a clear response from Apple as to what
> their position is and the reasoning behind it.
> 
> Regards,
> 
> John Daggett
> 
> cc: Anne
> 
> 
Received on Wednesday, 16 February 2011 19:39:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 16 February 2011 19:39:37 GMT