W3C home > Mailing lists > Public > www-tag@w3.org > August 2015

CORS and fonts

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 18 Aug 2015 13:03:22 +0200
Message-ID: <CADnb78gFkO_y7uZOw+UMyovLxdjgBxh_3bjHjmRN8wipht7ykg@mail.gmail.com>
To: TAG <www-tag@w3.org>
Cc: Yehuda Katz <wycats@gmail.com>
The Fetch Standard includes advice about a basic safe CORS protocol
setup that enables others to reuse your public resources:

  https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup

However, apparently some set of font foundries require through a
license agreement that their fonts are never distributed with this
header.

This in turn makes it harder for infrastructure (such as Apache, Ruby
on Rails) to adopt this header as a default when they can ascertain
they are not used for intranet purposes. It seems problematic that a
security measure (we use CORS for fonts because you can effectively
steal a font from an intranet without it) can be abused in this way.

Anything we can do about it?


-- 
https://annevankesteren.nl/
Received on Tuesday, 18 August 2015 11:03:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 18 August 2015 11:03:49 UTC