- From: Sylvain Galineau <sylvaing@microsoft.com>
- Date: Sun, 20 Feb 2011 17:11:24 +0000
- To: Maciej Stachowiak <mjs@apple.com>
- CC: "Levantovsky, Vladimir" <Vladimir.Levantovsky@MonotypeImaging.com>, Håkon Wium Lie <howcome@opera.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
[Maciej Stachowiak:] > I think once we have a high volume of content making use of this feature, > we will not be able to change the default in either direction. We can't > change a loose default to a restrictive default, or pages are likely to > break. But if we change a restrictive default to a loose default, it will > probably introduce security issues. That's why I am treating this as a > "for all time" decision and not a "for today" decision. Sorry, I don't understand this. The default behavior currently implemented by IE and Firefox is stricter, not looser. It was also agreed that in no way did this mechanism represent a security measure as an attacker is perfectly able to set the HTTP header required for the font to be delivered. So what are we talking about ?
Received on Sunday, 20 February 2011 17:11:57 UTC