- From: Chris Lilley <chris@w3.org>
- Date: Wed, 9 Jun 2010 19:08:41 +0200
- To: "Levantovsky, Vladimir" <Vladimir.Levantovsky@MonotypeImaging.com>
- CC: "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
On Monday, June 7, 2010, 10:25:58 PM, Vladimir wrote: LV> At the last conference call it was suggested (and agreed) to LV> discuss access control (same-origin restriction and CORS). I agree that same-origin restriction is important; several EULAs for WebFonts require it. Whether it should be a default or not is an open question. As to CORS, it's an API. There is no declarative method to use it. So for static resources, accessed by a passive link in a stylesheet rather than through active fetching (XMLHTTPRequest) it does not apply. Other technologies can be used for static content to enforce referer checking. As an example, PHP can be used. http://www.knowledgesutra.com/forums/topic/40295-check-referrer-to-prevent-linking-yours-from-other-sites/ That does move the onus onto the content hoster to provide protection, rather than the browser to not fetch, but that may well be fine. Referrer checking is a 'mostly works' picket fence type protection. It can be spoofed if someone wants to. Then again, resources can always be scooped up from a browser cache or proxy, too. Again I feel the emphasis should be on preventing casual, unknowing infringement, not on trying to provide some cast iron security assurance. -- Chris Lilley mailto:chris@w3.org Technical Director, Interaction Domain W3C Graphics Activity Lead Co-Chair, W3C Hypertext CG
Received on Wednesday, 9 June 2010 17:08:45 UTC