Re: SOR: CORS or From-Origin? from Håkon Wium Lie on 2011-02-10 (public-webfonts-wg@w3.org from February 2011)

From: Håkon Wium Lie <howcome@opera.com>
Date: Thu, 10 Feb 2011 13:32:55 +0100
To: John Daggett <jdaggett@mozilla.com>
Cc: public-webfonts-wg@w3.org, Anne van Kesteren <annevk@opera.com>
Message-ID: <19795.56055.399497.252597@gargle.gargle.HOWL>

Also sprach John Daggett:

 > > Same-origin restrictions (SOR), by way of CORS, is described in
 > > the current WOFF WD. As we have seen on this list, the use of
 > > CORS is seeing some resistance in the web community. I believe
 > > it's in the interest of this WG to try address the concerns
 > > raised.
 > 
 > I think this is a confusing way of describing the issue with
 > same-origin restrictions on fonts.  CORS is a mechanism for
 > *relaxing* a same origin restriction, it's not a mechanism to
 > *enforce* a same origin restriction.

True. But CORS is still an intrinsic part of the mechanism proposed
for SOR; noone (in their right mind) would suggest to have SOR without
a way of relaxing it?

 > I think there are two separate issues here:
 > 
 >   1. What should be the default load behavior for cross-origin
 >      font requests?
 > 
 >   2. How can authors modify the default behavior?
 > 
 > The existing same-origin restriction for WOFF is that by default
 > cross-origin font requests aren't loaded but that this behavior
 > can be modified by authors using the CORS mechanism.  What Anne
 > is proposing is that by default cross-origin font requests *are*
 > loaded, just as images and scripts are loaded.  But authors can
 > restrict cross-site usage of *any* resource type by adding an
 > appropriate 'From-Origin' header. 

Yes.

 > As both Dave and Sylvain have pointed out, removing the default
 > load restriction on cross-origin font resources means that
 > authors would always need to change response header settings to
 > satisfy common licensing requirements for commercial fonts.  If
 > cross-origin fonts are restricted by default they wouldn't need
 > to do this.

Yes. It's a tradeoff. Slightly more work for font publishers with
restrictions -- they would have to add this to their .htaccess file:

  <FilesMatch "\.(ttf|TTF|otf|OTF|woff|WOFF)$">
  Header set From-Origin same
  </FilesMatch>

In return we get a mechanism that the whole web can use, one that also
solves privacy concerns.

-h&kon
              Håkon Wium Lie                          CTO °þe®ª
howcome@opera.com                  http://people.opera.com/howcome

Received on Thursday, 10 February 2011 12:33:33 UTC