RE: About using CORS

On Wednesday, April 28, 2010 12:51 AM Anne van Kesteren wrote:
> 
> A same-origin restriction by default does nothing to protect their
> custom corporate fonts. The font can simply be downloaded and 
> uploaded to a different server.
> 

And it means that someone would have to make a willful act of theft of IP, and that person would know full well about possible consequences. Like Christopher said, there is a big difference between finding a wallet on a street vs. taking a wallet from inside a car, even if the door was unlocked.

> HTTP compression works just fine for fonts. That font vendors are 
> willing to license fonts with this new format which offers no 
> protection in practice is surprising, but maybe it makes it worth 
> the effort.

New format also provides both public and private metadata embedded in the WOFF header. If someone decides to download a font from one server and upload it to another without modifying the metadata - it would be like stealing the bag of money with the spray paint inside. He would just announce to the whole world that he is using stolen resource. And if that hypothetical someone does make an extra step of modifying or removing metadata - that would confirm to the world that theft of IP was in fact the willful intent.

> FWIW, I'm not opposed to adding a same-origin protection mechanism 
> for resources, but I think it should not be limited to fonts.

Did anyone ever mentioned that same-origin restriction should be limited to fonts?
I agree with you, it makes perfect sense to protect resources (and the bandwidth the rightful owner of that resource is paying for), but it is not something this WG can solve. However, developing a new recommendation for Web fonts is the WG charter, hence this discussion and application of same-origin restriction and CORS for fonts is perfectly reasonable and appropriate, IMHO.


Regards,
Vladimir

> 
> --
> Anne van Kesteren
> http://annevankesteren.nl/

Received on Wednesday, 28 April 2010 14:31:58 UTC