Re: SOR: CORS or From-Origin?

Håkon Wium Lie wrote:

> Same-origin restrictions (SOR), by way of CORS, is described in
> the current WOFF WD. As we have seen on this list, the use of
> CORS is seeing some resistance in the web community. I believe
> it's in the interest of this WG to try address the concerns
> raised.

I think this is a confusing way of describing the issue with
same-origin restrictions on fonts.  CORS is a mechanism for
*relaxing* a same origin restriction, it's not a mechanism to
*enforce* a same origin restriction.

I think there are two separate issues here:

  1. What should be the default load behavior for cross-origin
     font requests?

  2. How can authors modify the default behavior?

The existing same-origin restriction for WOFF is that by default
cross-origin font requests aren't loaded but that this behavior
can be modified by authors using the CORS mechanism.  What Anne
is proposing is that by default cross-origin font requests *are*
loaded, just as images and scripts are loaded.  But authors can
restrict cross-site usage of *any* resource type by adding an
appropriate 'From-Origin' header.  The default load behavior is
the real issue here, the mechanism for relaxing/tightening this
is more interesting mechanics.

As both Dave and Sylvain have pointed out, removing the default
load restriction on cross-origin font resources means that
authors would always need to change response header settings to
satisfy common licensing requirements for commercial fonts.  If
cross-origin fonts are restricted by default they wouldn't need
to do this.

Note that it's also possible to have cross-origin font resources
restricted by default *and* allow other types to be restricted
via something like Anne's 'From-Origin' mechanism.  I'm quite
sure Anne doesn't like that though. ;)

It would be good to get a clear response from Apple as to what
their position is and the reasoning behind it.

Regards,

John Daggett

cc: Anne

Received on Thursday, 10 February 2011 04:39:44 UTC