Re: About using CORS from Robert O'Callahan on 2010-05-04 (www-font@w3.org from April to June 2010)

From: Robert O'Callahan <robert@ocallahan.org>
Date: Wed, 5 May 2010 08:29:36 +1200
To: "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>
Cc: Sylvain Galineau <sylvaing@microsoft.com>, Anne van Kesteren <annevk@opera.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
Message-ID: <g2q11e306601005041329t421553b1p6514aaac31842a40@mail.gmail.com>

For what it's worth, I don't think this security argument holds much water.
The attacker can always send Access-Control-Allow-Origin:* from their server
to enable cross-site usage. The same-origin check may discourage authors
from linking to other people's sites (which later get compromised or
domain-stolen), thus providing some protection that way, but that's a very
weak argument IMHO.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]

Received on Tuesday, 4 May 2010 20:32:25 UTC