W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > April 2010

About using CORS (was: Re: WebFonts WG Kick-off)

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 26 Apr 2010 16:16:25 +0900
To: public-webfonts-wg@w3.org
Message-ID: <op.vbrc5nm764w2qv@annevk-t60>
Christopher Slye wrote:
> Is there an argument to be made _against_ requiring SOR?

If by SOR you mean CORS -- of which the editor's draft can be found at  
http://dev.w3.org/2006/waf/access-control/ -- I suppose I should explain  
why I think it is wrong to use it for the scenario it is being considered  
for here.

CORS is meant to lift restrictions that unless otherwise in place would be  
privacy problems. E.g. reading data from other servers with XMLHttpRequest  
is not allowed because in the context of the user running the browser such  
a server might be located on the user's intranet which does authentication  
based on the user's IP. Allowing evil.com to access such data would be a  
problem. Similarly cross-origin <img> resources can be manipulated through  
<canvas> but once such an <img> is painted on the <canvas> it can no  
longer be extracted as that would be a privacy leak. CORS provides a way  
to lift these restrictions.

Fonts do not need these restrictions. There is no privacy leak when I use  
a font from another server on my own. There might be a problem if the  
other server is hijacked and starts serving different glyphs, but CORS is  
not a solution to such a problem and will do nothing to prevent it. Using  
CORS as anything else than lifting restrictions put in place for  
information leakage is an abuse of the protocol in my opinion.

If we are concerned with bandwidth usage we should have something that  
also works for <img>, <video>, etc, not just for fonts.

Kind regards,

PS: I'm currently not subscribed to public-webfonts-wg@w3.org.

Anne van Kesteren
Received on Monday, 26 April 2010 07:17:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:04:20 UTC