RE: About using CORS from Levantovsky, Vladimir on 2010-06-11 (public-webfonts-wg@w3.org from June 2010)

From: Levantovsky, Vladimir <Vladimir.Levantovsky@MonotypeImaging.com>
Date: Fri, 11 Jun 2010 16:58:13 -0400
To: Chris Lilley <chris@w3.org>
CC: "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
Message-ID: <7534F85A589E654EB1E44E5CFDC19E3D03F2191B6D@wob-email-01.agfamonotype.org>

On Wednesday, June 09, 2010 1:09 PM Chris Lilley wrote:
> 
> On Monday, June 7, 2010, 10:25:58 PM, Vladimir wrote:
> 
> LV> At the last conference call it was suggested (and agreed) to
> LV> discuss access control (same-origin restriction and CORS).
> 
> 
> I agree that same-origin restriction is important; several EULAs for
> WebFonts require it.
> 
> Whether it should be a default or not is an open question.
> 

(Speaking with my chair hat off.)

Yes, I agree that many EULAs for web fonts require some sort of access control to limit sharing of font resource, but I think it is also important to consider the following issues we identified earlier:
- fonts may represent a new attack vector for malicious web content [1], therefore applying same origin restriction for fonts would eliminate some risks;
- decision to apply (or not) same-origin restriction by default is independent of CORS, for the reasons presented in [2].

In order to facilitate the discussion and considering the motivations for same-origin restriction we discussed earlier [3] and consistency with the CSS3 Fonts Module [4], I'd like to propose the following language:

"User agents must implement a 'same-origin restriction' when downloading WOFF files using the same origin matching algorithm described in the HTML5 specification. Note that the origin of the stylesheet containing @font-face declarations is not used when deciding whether a WOFF file is same origin or not, only the origin of containing document is used. User agents must also implement the ability to relax this restriction using cross-origin resource sharing. Sites can explicitly allow cross-site downloading of WOFF files using the Access-Control-Allow-Origin HTTP header."

Thank you,
Vlad

[1] http://lists.w3.org/Archives/Public/public-webfonts-wg/2010Apr/0054.html
[2] http://lists.w3.org/Archives/Public/public-webfonts-wg/2010Apr/0041.html
[3] http://lists.w3.org/Archives/Public/public-webfonts-wg/2010Apr/thread.html
[4] http://dev.w3.org/csswg/css3-fonts/#same-origin-restriction

Received on Friday, 11 June 2010 20:59:48 UTC