- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Fri, 17 Jun 2011 16:31:19 -0700
- To: Glenn Adams <glenn@skynav.com>
- Cc: John Hudson <tiro@tiro.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
On Fri, Jun 17, 2011 at 4:17 PM, Glenn Adams <glenn@skynav.com> wrote: > I will take a close look at that proposal and respond further. Samsung's > primary concern is that this type of requirement (as presently written) > delves into the domain of content protection or the enforcement of business > terms. It is one thing to define a mechanism that can be used by those who > wish to control content use and dissemination; it is an entirely different > matter to mandate use of such a mechanism within a content format definition > or referencing scheme. Same-origin restrictions have nothing to do with content protection, as you can trivially just download the font yourself (assuming it's publically accessible) and host it on your own server. It's about two things: 1. A consistent security story. There shouldn't be a distinction between embedding and reading (in practice, they end up being the same due to info leaks). Applying same-origin at the embedding level lets us prevent info leaks more directly than just preventing reading and then hoping we plug the leaks that come from embedding. 2. As a lesser point, protecting server owners from hotlinking is a nice benefit. As I stated above, a third party can always just grab the file and host it themselves; there's never any reason to directly hotlink it. ~TJ
Received on Friday, 17 June 2011 23:32:14 UTC