- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 04 May 2010 13:25:31 +0900
- To: "John Hudson" <tiro@tiro.com>, "Sylvain Galineau" <sylvaing@microsoft.com>
- Cc: www-font@w3.org, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
Resending to www-font@w3.org so others can participate more easily. I suggest follow-up email is also posted there. The suggestion from John in http://lists.w3.org/Archives/Public/public-webfonts-wg/2010Apr/0067.html makes perfect sense. On Tue, 04 May 2010 12:44:58 +0900, Sylvain Galineau <sylvaing@microsoft.com> wrote: > Where, why and how does it clash ? If a browser does a simple > cross-domain request as specified by CORS for font resources, how does > that conflict with the 'existing design for same-origin policy' ? I explained before that to date we only have had same-origin protection to prevent information leakage. This is consistent across XMLHttpRequest, <img>, <form>, <video>, <audio>, <script>, <iframe>, etc. While if we could do things all over again this would likely have been done differently, we cannot. Since there is no information leakage restricting requests to be same-origin is uncalled for and inconsistent with the design principles that are used for the Web platform. Of course we can change the principles and make an exception, but I do not feel it is justified. (It is probably not worth going further on the "fonts are like images" theme. I do not think you are right that I lack some kind of knowledge I could have acquired by participating more. I have studied the subject to quite some extent since the day David Hyatt implemented @font-face support in WebKit in a couple of days. I think we simply disagree.) -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 4 May 2010 04:26:18 UTC