W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2013

Re: [whatwg] font security on measureText

From: Robert O'Callahan <robert@ocallahan.org>
Date: Sat, 8 Jun 2013 23:32:58 +1200
Message-ID: <CAOp6jLb2pesjZCZT3pA6cPkjrXt6DkuayTM=H_vR-r1UHKmB3Q@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: WHATWG <whatwg@whatwg.org>, Rik Cabanier <cabanier@gmail.com>, Boris Zbarsky <bzbarsky@mit.edu>
On Sat, Jun 8, 2013 at 11:08 AM, Ian Hickson <ian@hixie.ch> wrote:

> If browsers align on the above text the HTML spec indeed would no longer
> need to worry about this, since there'd no longer be any cross-origin
> fonts. Has this occurred?
>
> (Personally I don't really see why we'd limit this to same-origin and
> CORS-cross-origin only. It makes loading fonts from other origins a pain.)
>

It shouldn't be a pain; adding the right CORS headers should be easy.

This very thread is one good example of why we should limit font loading to
same-origin and CORS-cross-origin; it simplifies font-related APIs because
we don't have to worry about information leaks.

Rob
-- 
q“qIqfq qyqoquq qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qyqoquq,q qwqhqaqtq
qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq qsqiqnqnqeqrqsq
qlqoqvqeq qtqhqoqsqeq qwqhqoq qlqoqvqeq qtqhqeqmq.q qAqnqdq qiqfq qyqoquq
qdqoq qgqoqoqdq qtqoq qtqhqoqsqeq qwqhqoq qaqrqeq qgqoqoqdq qtqoq qyqoquq,q
qwqhqaqtq qcqrqeqdqiqtq qiqsq qtqhqaqtq qtqoq qyqoquq?q qEqvqeqnq
qsqiqnqnqeqrqsq qdqoq qtqhqaqtq.q"
Received on Saturday, 8 June 2013 11:33:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:22 UTC