W3C home > Mailing lists > Public > www-font@w3.org > April to June 2010

Re: What constitutes protection [was: About using CORS]

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 04 May 2010 13:25:31 +0900
Cc: www-font@w3.org, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
To: "John Hudson" <tiro@tiro.com>, "Sylvain Galineau" <sylvaing@microsoft.com>
Message-ID: <op.vb5yktvw64w2qv@annevk-t60>
Resending to www-font@w3.org so others can participate more easily. I
suggest follow-up email is also posted there. The suggestion from John in
makes perfect sense.

On Tue, 04 May 2010 12:44:58 +0900, Sylvain Galineau
<sylvaing@microsoft.com> wrote:
> Where, why and how does it clash ? If a browser does a simple  
> cross-domain request as specified by CORS for font resources, how does  
> that conflict with the 'existing design for same-origin policy' ?

I explained before that to date we only have had same-origin protection to
prevent information leakage. This is consistent across XMLHttpRequest,
<img>, <form>, <video>, <audio>, <script>, <iframe>, etc. While if we
could do things all over again this would likely have been done
differently, we cannot. Since there is no information leakage restricting
requests to be same-origin is uncalled for and inconsistent with the
design principles that are used for the Web platform.

Of course we can change the principles and make an exception, but I do not
feel it is justified.

(It is probably not worth going further on the "fonts are like images"
theme. I do not think you are right that I lack some kind of knowledge I
could have acquired by participating more. I have studied the subject to
quite some extent since the day David Hyatt implemented @font-face support
in WebKit in a couple of days. I think we simply disagree.)

Anne van Kesteren
Received on Tuesday, 4 May 2010 04:26:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:34 UTC