W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2013

Re: [whatwg] font security on measureText

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 03 May 2013 10:07:05 -0400
Message-ID: <5183C489.60402@mit.edu>
To: whatwg@lists.whatwg.org
On 5/3/13 5:23 AM, Anne van Kesteren wrote:
> On Thu, May 2, 2013 at 10:49 PM, Rik Cabanier <cabanier@gmail.com> wrote:
>> What do you mean by that? Is this underspecified?
>
> CSS should say it fetches using mode CORS. That will result in a
> either a response marked CORS-same-origin or a network error. Fonts
> can be then be assumed to be safe as there is no way to obtain a
> tainted font. (However, it is my understanding not all browsers are
> aligned on this at the moment, so you might want to make sure that
> happens first.)

The text at 
http://dev.w3.org/csswg/css-fonts/#default-same-origin-restriction and 
http://dev.w3.org/csswg/css-fonts/#allowing-cross-origin-font-loading 
predates your introduction of the mode values, but clearly corresponds 
to the "CORS" mode, no?

And while browsers are not aligned yet, they did plan to align last I 
heard, in that their representatives in the WG had agreed to the above text.

Of course it's possible some of the browsers involved are just planning 
to ignore the spec altogether without bothering to argue to get it 
changed to what they think is the right thing.

-Boris
Received on Friday, 3 May 2013 14:07:34 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:58 UTC