- From: John Hudson <tiro@tiro.com>
- Date: Wed, 16 Feb 2011 09:32:44 -0800
- CC: public-webfonts-wg@w3.org
Sylvain and Vlad proposed a revision to the From Origin idea that would, as I understood it, make the default behaviour same-origin restrictive. Sylvain (10 February): Solving the problem generally is always nice, but as the default behavior of the general solution conflicts with the smart default for fonts it does not really improve on the current solution for our purposes. One possible tweak would be to say that resources loaded by @font-face should be treated as if From-Origin:same was set unless the server sets that header. Vlad (10 February): I think this could be a very good alternative to CORS. "From Origin" header would work exactly as proposed if present. However, the default behavior can be specified by the WOFF spec that in absence of "From Origin" header must be treated as if "From Origin: same" is set. In my admittedly 'under-educated' opinion, this would resolve all the concerns that Håkon and Anne had presented (i.e. the same "From Origin" header can be used with any other media type "without causing havoc"), and the only difference is that the alternative default behavior is specified by WOFF spec. As Håkon said, if "From Origin" can be spec'ed quickly, this might be the way to eliminate the dependency on CORS. If dependency on CORS is the issue here, then this proposed revision of the From Origin scheme would seem to work, and they retain the default features that font vendors want: ease of license compliance for users. As I wrote more than a year ago: it makes no sense for the default behaviour of a data and bandwidth protection measure to be tailored to the minority of font licenses and websites that do not require any such measure. JH [I should be on the conference call, but will not be on IRC today.]
Received on Wednesday, 16 February 2011 17:33:19 UTC