- From: Thomas Lord <lord@emf.net>
- Date: Sat, 25 Jul 2009 14:28:08 -0700
- To: Chris Fynn <cfynn@gmx.net>
- Cc: www-font <www-font@w3.org>, Sylvain Galineau <sylvaing@microsoft.com>
On Sat, 2009-07-25 at 14:40 +0600, Chris Fynn wrote: > If same origin restrictions are enforced by the UA how can an EULA > reasonably require them? Surely web authors cannot be held responsible > for how particular browsers accessing their sites happen to behave in > this regard. Or is the server supposed to check each time which UA is > accessing the site and only serve web fonts to those it knows enforce > same-origin restrictions? I think that it fundamentally comes down to trust and probability, as follows: Same origin restrictions exist, where they do, to protect server operators, to protect browser-side security, and to protect user privacy. Reputable browser implementers have plenty of incentive to implement them well. A EULA can not say "if you put this font on the web then you MUST ensure it is never used in an unauthorized cross-origin way" because, as you note, author's can't possibly perform that obligation. A EULA can say "you must configure your server according to the CORS spec". Author's *can* perform that obligation. Most users will be using browsers from reputable suppliers, configured in the default way, and the CORS effect will be achieved. -t
Received on Saturday, 25 July 2009 21:28:48 UTC