RE: CORS or From-Origin?

[Håkon Wium Lie:]
> This is achieved by switching the default. In Mozilla's CORS-based
> implementation today, the default is to ignore the font unless a certain
> HTTP header is present. In the From-Origin proposal, the browser will
> ignore the font if a certain HTTP header is present. This change of
> default setting allows From-Origin to be used with other media types on
> the web without causing havoc.

This makes the proposed solution more expensive for authors given the 
requirements. We know that most commercial font licenses have a same-domain 
restriction (implicit or explicit) i.e. you license your font for a domain. 
I understand this will largely be true for most fonts licensed for hosting 
by a site (vs. licensed by Typekit-style subscription).

As such, the current solution imposes no cost on the author: right out
of the box, browsers default to doing what her license requires. No need 
for referrer check or server config updates. The font vendor doesn't need
to educate the author/site on the need to set this up, or check that it's
being done. (As a side note, that is also rather nice if configuring HTTP 
headers is not an option; not all hosting services allow it. I also
know small-business owners who are savvy enough to maintain their own web
sites and use fonts but have very little comfort and knowledge or protocol
issues and settings).

That the author has to take deliberate extra steps to do the 'wrong' thing  
Also makes font vendors's lives easier - and puts their minds at ease - which 
is good if we want to get lots more fonts licensed for web use. 

So while the default you are suggesting is understandably the right one 
for a solution that targets all files without breaking the rest of the web,
 it's the 'wrong' default for fonts. But it's certainly an improvement on
Referrer checks.

Received on Wednesday, 9 February 2011 21:18:48 UTC