Re: [whatwg] font security on measureText

On Fri, May 3, 2013 at 6:25 PM, Rik Cabanier <cabanier@gmail.com> wrote:
> On Fri, May 3, 2013 at 2:23 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> 1. That assumes tainted cross-origin as a fetching mode.
>> http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume
>> it uses CORS.
>
> What do you mean by 'you'?
> The link in Canvas from the WhatWG spec is to the above section

What I'm saying is that the section you're referring to is written
from the perspective of using tainted cross-origin as mode for font
fetching. Which is incorrect per the CSS fonts specification as per
that specification fonts will always be CORS-same-origin with the
document.


> OK. So it seems that the canvas spec should NOT say that the font has to be
> the same origin.
> It should refer to CSS portion that describes this fetching or be silent.

It would not have to say anything.


--
http://annevankesteren.nl/

Received on Saturday, 4 May 2013 08:17:07 UTC