W3C home > Mailing lists > Public > www-font@w3.org > July to September 2009

Re: same-origin restrictions and EULA (Re: A way forward)

From: Thomas Lord <lord@emf.net>
Date: Sat, 25 Jul 2009 14:28:08 -0700
To: Chris Fynn <cfynn@gmx.net>
Cc: www-font <www-font@w3.org>, Sylvain Galineau <sylvaing@microsoft.com>
Message-Id: <1248557288.6302.11.camel@dell-desktop.example.com>
On Sat, 2009-07-25 at 14:40 +0600, Chris Fynn wrote:
> If same origin restrictions are enforced by the UA how can an EULA 
> reasonably require them? Surely web authors cannot be held responsible 
> for how particular browsers accessing their sites happen to behave in 
> this regard. Or is the server supposed to check each time which UA is 
> accessing the site and only serve web fonts to those it knows enforce 
> same-origin restrictions?

I think that it fundamentally comes down to 
trust and probability, as follows:

Same origin restrictions exist, where they
do, to protect server operators, to protect
browser-side security, and to protect user 
privacy.  Reputable browser implementers have
plenty of incentive to implement them well.

A EULA can not say "if you put this font on the
web then you MUST ensure it is never used
in an unauthorized cross-origin way" because,
as you note, author's can't possibly perform
that obligation.

A EULA can say "you must configure your server
according to the CORS spec".   Author's *can*
perform that obligation.  Most users will be using
browsers from reputable suppliers, configured in the
default way, and the CORS effect will be achieved.

Received on Saturday, 25 July 2009 21:28:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:01:40 UTC