- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 18 Aug 2015 13:03:22 +0200
- To: TAG <www-tag@w3.org>
- Cc: Yehuda Katz <wycats@gmail.com>
The Fetch Standard includes advice about a basic safe CORS protocol setup that enables others to reuse your public resources: https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup However, apparently some set of font foundries require through a license agreement that their fonts are never distributed with this header. This in turn makes it harder for infrastructure (such as Apache, Ruby on Rails) to adopt this header as a default when they can ascertain they are not used for intranet purposes. It seems problematic that a security measure (we use CORS for fonts because you can effectively steal a font from an intranet without it) can be abused in this way. Anything we can do about it? -- https://annevankesteren.nl/
Received on Tuesday, 18 August 2015 11:03:48 UTC