W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > February 2011

Re: SOR: CORS or From-Origin?

From: Tab Atkins <tabatkins@google.com>
Date: Wed, 16 Feb 2011 12:54:32 -0800
Message-ID: <AANLkTikXj66o_M8NXZhkF7t4G1BWLa68wiiHrN_RLahX@mail.gmail.com>
To: "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Sylvain Galineau <sylvaing@microsoft.com>, HÃ¥kon Wium Lie <howcome@opera.com>, John Daggett <jdaggett@mozilla.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, Anne van Kesteren <annevk@opera.com>
On Wed, Feb 16, 2011 at 12:39 PM, Levantovsky, Vladimir
<Vladimir.Levantovsky@monotypeimaging.com> wrote:
> On Wednesday, February 16, 2011 2:32 PM Maciej Stachowiak wrote:
>> Previously, it was argued that CORS to opt into sharing is a low
>> burden, since adding a fixed request header is much easier than
>> checking an incoming response header. If it is indeed easy for content
>> authors to add fixed response headers (and I do believe that is the
>> case), then it is not an undue burden to do this to restrict font
>> hotlinking.
> I guess we should also take into consideration how often something would have to be done, and the level of knowledge and skills of the person doing it. I agree that adding a fixed response header would be considered a low burden for a small number of professional, highly-skilled web developers who may have a need to relax SOR restriction. However, requiring the same to be done by *everyone* to put SOR in place seems like a much higher burden.

FWIW, I'm planning to add 'From-Origin' support to Webkit this week or
next, and make it so that if no From-Origin header was sent in
response to a @font-face request the effect is as if
'From-Origin:same' had been sent.

(I'll do the second in such a way that Safari can turn it off if they
want, at least until we have consensus.)

Received on Wednesday, 16 February 2011 20:55:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:34:15 UTC