Re: About using CORS

On Wed, 28 Apr 2010 11:28:29 +0900, Sylvain Galineau  
<sylvaing@microsoft.com> wrote:
> WOFF and this WG exist because fonts are not 'like images'. The same
> argument was made to argue that raw fonts is all that should be needed.

Indeed, I'm not convinced it has been proven otherwise. The existence of  
the WebFonts WG does not demonstrate that in one way or another I think.


> Until the realities of HTTP compression and the aim to maximize web  
> author choice - beyond free fonts and dedicated proprietary obfuscation  
> services
> like TypeKit - meant that this just wasn't true in practice.

HTTP compression works just fine for fonts. That font vendors are willing  
to license fonts with this new format which offers no protection in  
practice is surprising, but maybe it makes it worth the effort.


> For a bunch of reasons - some technical, some not - this resulted in a  
> new cross-browser format and other related implementation decisions. For  
> CORS
> specifically, I understand the main motivation was security. Fonts  
> include small bits of code (opcodes actually) and thus do not have quite  
> the same
> security surface as an image file. Also, fonts have generally not been as
> actively targeted for exploits as other resource formats; it thus seems
> reasonable to assume the underlying decoders to be relatively less  
> hardened than, say, the latest PNG decoder.

This is just plain FUD. If font resources are insecure that is a problem  
regardless of whether font loading has a same-origin limitation.


> That most font licenses require same-origin is an added benefit in  
> support of Mozilla's choice that fits well with the broader motive.

It does not fit at all with how same-origin restrictions have been  
determined and applied so far.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Wednesday, 28 April 2010 04:48:43 UTC