W3C home > Mailing lists > Public > www-font@w3.org > July to September 2009

Re: the discussion is over, resistance time

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Thu, 2 Jul 2009 19:19:25 -0500
Message-ID: <dd0fbad0907021719y711684afvcc2791cbd1bb53a5@mail.gmail.com>
To: Thomas Lord <lord@emf.net>
Cc: Sylvain Galineau <sylvaing@microsoft.com>, luke whitmore <lwhitmore@gmail.com>, "www-font@w3.org" <www-font@w3.org>
On Thu, Jul 2, 2009 at 7:02 PM, Thomas Lord<lord@emf.net> wrote:
> On Thu, 2009-07-02 at 18:46 -0500, Tab Atkins Jr. wrote:
>> As I noted elsethread, Thomas, rootstrings are functionally identical
>> to same-origin restrictions.
> Wow, this is really tripping people up.
> No, they are not functionally identical.
> A server might be reasonably configured to
> refuse certain requests for a font.  Systems
> like CORS allow conforming browsers to
> streamline and simplify that server's right
> of refusal.

Unless I'm *completely* wrong (and I don't think I am, because Anne
has been very assertive in correcting people about how same-origin and
CORS works), you're wrong.

Same-origin restrictions do not affect the server *at all*.  If a
same-origin restriction is in effect, the *browser* enforces it,
*after* receiving the resource from the server.

In order for same-origin to be enforced on the server, as you
envision, it is necessary for the client to send the server the origin
of the page they are viewing.  This is a potential privacy breach, in
the exact same way that the Referer header is (in fact, it essentially
*is* a Referer header).  The server doesn't *need* to know the origin
of the page that contains the request in order to fulfill that
request, it just needs the IP of the client.

On the other hand, the browser is uniquely suited to enforce this
without a privacy breach.  It's the actor rendering the page that
includes the request, so it knows the origin that the request
originates from.  It also obviously knows the origin of the server
(that's contained in the request URL).  Thus it can compare the two
and decide whether same-origin has been violated.

Note, though - the browser *cannot* make this decision *before*
sending the request.  Doing so is to assume that the resource is
really *only* usable when requested from the same origin.  CORS
headers, which are sent with the response, may relax this requirement,
allowing a resource to be used when requested from a different origin.

So, the overall process looks like this:

1. Average user visits a page.

2. Page has a link to some resource which is covered by a same-origin
restriction (perhaps a font file is linked from a @font-face rule, or
a script on the page is making an XHR).

3. Browser reads the page, find this link, and makes a request to the
indicated server.

4. Server returns the requested resource, and potentially adds some
CORS headers to the response.

5. Browser receives the response, checks the page's origin against the
response's origin (or the origins in the CORS headers), and decides
whether or not to allow the page/css/script to use the resource.

Having the server make the decision requires checking the Referer
header or a functional equivalent, which some users may legitimately
not send.

> A system of rootstrings forbids a client from
> performing certain computations with a file that
> is already in hand, if the client is to be called
> conforming.  This refusal is in spite of the fact
> that no interop enhancement is thus obtained.
> Do you not see the difference?

As I explained above, same-origin/CORS also forbids the client from
using a resource which it has in hand.

Received on Friday, 3 July 2009 00:20:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:32 UTC