W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2013

Re: [whatwg] font security on measureText

From: Rik Cabanier <cabanier@gmail.com>
Date: Mon, 6 May 2013 14:25:42 -0700
Message-ID: <CAGN7qDDRYpNRxtfN8iFExW39qPmiBOE+N9Q_FMUzZoZGjb+aZw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@whatwg.org>, "public-canvas-api@w3.org" <public-canvas-api@w3.org>
On Sat, May 4, 2013 at 1:16 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Fri, May 3, 2013 at 6:25 PM, Rik Cabanier <cabanier@gmail.com> wrote:
> > On Fri, May 3, 2013 at 2:23 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >> 1. That assumes tainted cross-origin as a fetching mode.
> >> http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume
> >> it uses CORS.
> >
> > What do you mean by 'you'?
> > The link in Canvas from the WhatWG spec is to the above section
>
> What I'm saying is that the section you're referring to is written
> from the perspective of using tainted cross-origin as mode for font
> fetching. Which is incorrect per the CSS fonts specification as per
> that specification fonts will always be CORS-same-origin with the
> document.
>
>
> > OK. So it seems that the canvas spec should NOT say that the font has to
> be
> > the same origin.
> > It should refer to CSS portion that describes this fetching or be silent.
>
> It would not have to say anything.
>

Thanks.
I logged https://www.w3.org/Bugs/Public/show_bug.cgi?id=21943
Received on Monday, 6 May 2013 21:26:14 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:59 UTC