- From: Brad Kemper <brad.kemper@gmail.com>
- Date: Thu, 25 Jun 2009 20:37:54 -0700
- To: robert@ocallahan.org
- Cc: Jonathan Kew <jonathan@jfkew.plus.com>, Aryeh Gregor <Simetrical+w3c@gmail.com>, www-style@w3.org
On Jun 25, 2009, at 8:27 PM, Robert O'Callahan wrote: > My understanding is that because of that problem, many firewalls are > configured to strip ALL Referer headers. So all users behind such a > firewall would be denied all fonts on servers that do Referer > checking. > > For a lot of site authors, this might be acceptable, or they might > send you a second-choice open license font instead. I wonder if it > would be acceptable to the font publishers. It would not be that > different from sites that block de-referred browsers from seeing > their images. > > Sure, it might be acceptable, but default same-origin checks plus > CORS are a better solution: more reliable, more privacy for users, > more convenient for authors. I agree that CORS is a better way to exchange that sort of information, but I am less thrilled about the idea of same-origin checks for fonts. If CORS could actually deny access on its own to non- authorized sites for whatever assets we want, instead of having to paint the restrictions with such a broad brush (as Firefox is doing with fonts), it would solve even more problems (such as allowing a site to block access to certain images from sites they don't authorize, but without necessarily blocking entire networks that strip referrer info).
Received on Friday, 26 June 2009 03:38:32 UTC