W3C home > Mailing lists > Public > www-font@w3.org > July to September 2009

Re: same-origin restrictions and EULA (Re: A way forward)

From: Thomas Lord <lord@emf.net>
Date: Sat, 25 Jul 2009 14:28:08 -0700
To: Chris Fynn <cfynn@gmx.net>
Cc: www-font <www-font@w3.org>, Sylvain Galineau <sylvaing@microsoft.com>
Message-Id: <1248557288.6302.11.camel@dell-desktop.example.com>
On Sat, 2009-07-25 at 14:40 +0600, Chris Fynn wrote:
> If same origin restrictions are enforced by the UA how can an EULA 
> reasonably require them? Surely web authors cannot be held responsible 
> for how particular browsers accessing their sites happen to behave in 
> this regard. Or is the server supposed to check each time which UA is 
> accessing the site and only serve web fonts to those it knows enforce 
> same-origin restrictions?

I think that it fundamentally comes down to 
trust and probability, as follows:

Same origin restrictions exist, where they
do, to protect server operators, to protect
browser-side security, and to protect user 
privacy.  Reputable browser implementers have
plenty of incentive to implement them well.

A EULA can not say "if you put this font on the
web then you MUST ensure it is never used
in an unauthorized cross-origin way" because,
as you note, author's can't possibly perform
that obligation.

A EULA can say "you must configure your server
according to the CORS spec".   Author's *can*
perform that obligation.  Most users will be using
browsers from reputable suppliers, configured in the
default way, and the CORS effect will be achieved.


-t
Received on Saturday, 25 July 2009 21:28:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 11 June 2011 00:14:03 GMT