- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 04 May 2010 10:29:59 +0900
- To: "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "Sylvain Galineau" <sylvaing@microsoft.com>
On Tue, 04 May 2010 07:04:06 +0900, Sylvain Galineau <sylvaing@microsoft.com> wrote: >> HTTP compression works just fine for fonts. That font vendors are >> willing >> to license fonts with this new format which offers no protection in >> practice is surprising, but maybe it makes it worth the effort. > > I am not commenting on whether fonts *can* be compressed by HTTP, but > whether resources *are* compressed by HTTP and how often. In practice, > as many as 20% of the users of major sites do not in fact get a > compressed response due to caching proxy strategies. That sounds like a general problem with HTTP compression. Again something that does not just need to be solved for fonts, as far as I can tell. > Labeling things you disagree with as FUD is neither helpful nor > necessary. > If font decoding is less secure than other content types, same-origin > restrictions mitigate the risk somewhat by requiring the attacker to be > able to post font resources on the origin site. (At which point, well, > all bets are off...) Without that restriction, the attack surface is > most definitely larger. I don't really see it. If the browser has such a severe bug it would need to be fixed immediately. Maybe you can make the scenario more concrete? >> It does not fit at all with how same-origin restrictions have been >> determined and applied so far. > > And ? I don't think fonts warrant a change. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 4 May 2010 01:30:47 UTC