Re: same-origin restrictions and EULA (Re: A way forward)

On Sat, 2009-07-25 at 14:40 +0600, Chris Fynn wrote:
> If same origin restrictions are enforced by the UA how can an EULA 
> reasonably require them? Surely web authors cannot be held responsible 
> for how particular browsers accessing their sites happen to behave in 
> this regard. Or is the server supposed to check each time which UA is 
> accessing the site and only serve web fonts to those it knows enforce 
> same-origin restrictions?

I think that it fundamentally comes down to 
trust and probability, as follows:

Same origin restrictions exist, where they
do, to protect server operators, to protect
browser-side security, and to protect user 
privacy.  Reputable browser implementers have
plenty of incentive to implement them well.

A EULA can not say "if you put this font on the
web then you MUST ensure it is never used
in an unauthorized cross-origin way" because,
as you note, author's can't possibly perform
that obligation.

A EULA can say "you must configure your server
according to the CORS spec".   Author's *can*
perform that obligation.  Most users will be using
browsers from reputable suppliers, configured in the
default way, and the CORS effect will be achieved.


-t

Received on Saturday, 25 July 2009 21:28:48 UTC