Re: What constitutes protection [was: About using CORS]

Resending to www-font@w3.org so others can participate more easily. I
suggest follow-up email is also posted there. The suggestion from John in
http://lists.w3.org/Archives/Public/public-webfonts-wg/2010Apr/0067.html
makes perfect sense.

On Tue, 04 May 2010 12:44:58 +0900, Sylvain Galineau
<sylvaing@microsoft.com> wrote:
> Where, why and how does it clash ? If a browser does a simple  
> cross-domain request as specified by CORS for font resources, how does  
> that conflict with the 'existing design for same-origin policy' ?

I explained before that to date we only have had same-origin protection to
prevent information leakage. This is consistent across XMLHttpRequest,
<img>, <form>, <video>, <audio>, <script>, <iframe>, etc. While if we
could do things all over again this would likely have been done
differently, we cannot. Since there is no information leakage restricting
requests to be same-origin is uncalled for and inconsistent with the
design principles that are used for the Web platform.

Of course we can change the principles and make an exception, but I do not
feel it is justified.

(It is probably not worth going further on the "fonts are like images"
theme. I do not think you are right that I lack some kind of knowledge I
could have acquired by participating more. I have studied the subject to
quite some extent since the day David Hyatt implemented @font-face support
in WebKit in a couple of days. I think we simply disagree.)


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Tuesday, 4 May 2010 04:26:18 UTC