- From: Nils Goroll <slink@schokola.de>
- Date: Wed, 30 Apr 2014 15:56:49 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- CC: WebAppSec WG <public-webappsec@w3.org>
On 30/04/14 14:47, Anne van Kesteren wrote: > On Mon, Apr 28, 2014 at 3:43 PM, Nils Goroll <slink@schokola.de> wrote: >> Please consider the simple case of a web font http://static.do.main/font.woff >> which, for licensing reasons, is to be shared with a set of specific origins >> only, so using 'Access-Control-Allow-Origin: *' is not an option. > > It is. You could terminate the request if the Origin request header > was not "correct". How should this work with CDNs and downstream caches? >> I'd appreciate pointers if this issue had been discussed before, as I have >> failed to find any previous discussion in the list archives. > > If we were to do this at this point we probably have to introduce a > new header or force everyone to sniff user agents for support. > However, there haven't been many requests for it. I don't understand how sniffing user-agents relates to this issue. Nils
Received on Wednesday, 30 April 2014 13:57:14 UTC