Re: SOR: CORS or From-Origin?

On Thu, Feb 10, 2011 at 2:17 PM, Behdad Esfahbod <behdad@google.com> wrote:
> On Thu, Feb 10, 2011 at 5:05 PM, Tab Atkins <tabatkins@google.com> wrote:
>> On Thu, Feb 10, 2011 at 1:51 PM, Behdad Esfahbod <behdad@google.com>
>> wrote:
>> > On Thu, Feb 10, 2011 at 4:32 PM, Liam R E Quin <liam@w3.org> wrote:
>> >>
>> >> On Thu, 2011-02-10 at 16:16 -0500, Behdad Esfahbod wrote:
>> >> > Given the discussion going on, I wonder, has it been considered to
>> >> > include a
>> >> > SOR flag in the WOFF file itself?
>> >>
>> >> By the time you've got the font in order to check the flag, it's too
>> >> late for the server to refuse to send it, no?
>> >
>> > No.  This is exactly like the current proposed SOR, which is also
>> > client-side.  This is not about the server refusing to serve.  You can
>> > always download the font using "wget", and the current SOR mechanism
>> > would
>> > help there either.  It's about the font not working on other people's
>> > website.
>>
>> You must be misunderstanding something in the proposal, because you're
>> incorrect here.
>
> Ok, let me correct myself: what I propose is *functionally* equivalent to
> the current SOR.  In that in both cases, another domain linking to the font
> will NOT work.  In both cases, people can download the font still, because
> SOR does not restrict the server from serving.

Indeed, it's the same in those contexts.  But it doesn't save any
bandwidth for the original author, which is one of the nice benefits
of preventing hot-linking through SOR.  This is a significant
difference.

~TJ

Received on Thursday, 10 February 2011 22:20:45 UTC