Re: CSS3 @font-face / EOT Fonts

On Thu, Nov 6, 2008 at 9:20 PM, Robert O'Callahan <> wrote:
> It's been incredibly successful in some ways. It's also been incredibly
> disastrous for security (when applied to scripts, images and IFRAMEs at
> least).

Same-origin restrictions are important for security, of course.  I
just don't see it as being a great solution for DRM.  As far as
security goes, I see no security difference here between the various
proposals, since all allow remote-linking a font with at most the
consent of the font's host (which the uploader of a malicious font
would obviously grant).

> I happen to agree with the "other side" that allowing anyone to link to any
> font anywhere, unless the person hosting the font file has taken explicit
> steps to forbid, makes it too easy for people to do the wrong thing.

Isn't this an identical situation to images?  Do you think the web
would be better if linking to images across domains was opt-in (and
opting in required messing with web server configuration)?

Received on Friday, 7 November 2008 03:22:46 UTC