RE: same-origin restrictions and EULA (Re: A way forward)

>From: Chris Fynn []
>Sent: Saturday, July 25, 2009 1:41 AM
>To: www-font
>Cc: Sylvain Galineau
>Subject: same-origin restrictions and EULA (Re: A way forward)
>If same origin restrictions are enforced by the UA how can an EULA
>reasonably require them? Surely web authors cannot be held responsible
>for how particular browsers accessing their sites happen to behave in
>this regard. Or is the server supposed to check each time which UA is
>accessing the site and only serve web fonts to those it knows enforce
>same-origin restrictions?

One of the features that made EOT attractive to font vendors in the past
was rootstrings. They're essentially a hardcoded same-origin policy embedded
in the file. If the new format does not have rootstrings it is fair to ask
whether the EULA will require same-origin to be enforced in another way.

If it does, then the EOT-Lite may have a problem since a) the files have
a null rootstring and b) the IE installed base (the reach of which makes
EOT-Lite relatively attractive in the short/medium) term would thus not
do any same-origin check by default.

Received on Saturday, 25 July 2009 16:11:29 UTC