Re: CSS3 @font-face / EOT Fonts

On Fri, Nov 7, 2008 at 1:44 PM, Aryeh Gregor <> wrote:

> In the same vein, I think a default same-origin restriction that needs
> to be overridden by HTTP headers is a really bad idea.  It kills
> remote linking of resources unless it's explicitly enabled, and that's
> exactly the opposite of the incredibly successful model that the web
> has always used.

It's been incredibly successful in some ways. It's also been incredibly
disastrous for security (when applied to scripts, images and IFRAMEs at

It means that people can't just see a font they like
> on a website and be reasonably sure of remote-linking it, *even* if
> the font is free.

I happen to agree with the "other side" that allowing anyone to link to any
font anywhere, unless the person hosting the font file has taken explicit
steps to forbid, makes it too easy for people to do the wrong thing.

They'd have to copy it to their domain, if they can
> even upload font files to their domain (consider an Internet message
> board allowing a decent subset of CSS, or Wikipedia); and if they want
> to use a font in multiple places, they'd have to figure out how to
> work .htaccess files or who knows what.

I'm sure that sooner or later the free file hosting providers will support
"Access-Control-Allow-Origin: *". As soon as one does, your problem goes

"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah

Received on Friday, 7 November 2008 02:26:18 UTC