- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 3 May 2013 10:23:54 +0100
- To: Rik Cabanier <cabanier@gmail.com>
- Cc: WHATWG <whatwg@whatwg.org>, "public-canvas-api@w3.org" <public-canvas-api@w3.org>
On Thu, May 2, 2013 at 10:49 PM, Rik Cabanier <cabanier@gmail.com> wrote: > Reading the Origin spec [1]: > > For fonts: > > The origin of a downloadable Web font is an alias to the origin of the > absolute URL used to obtain the font (after any redirects). [CSSFONTS] > > The origin of a locally installed system font is an alias to the origin of > the Document in which that font is being used. > > Fonts do not have an effective script origin. 1. That assumes tainted cross-origin as a fetching mode. http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume it uses CORS. 2. That really ought to be defined by CSS directly. >> Part of the problem here is that CSS lacks a bunch of text. > > What do you mean by that? Is this underspecified? CSS should say it fetches using mode CORS. That will result in a either a response marked CORS-same-origin or a network error. Fonts can be then be assumed to be safe as there is no way to obtain a tainted font. (However, it is my understanding not all browsers are aligned on this at the moment, so you might want to make sure that happens first.) -- http://annevankesteren.nl/
Received on Friday, 3 May 2013 09:24:21 UTC