Re: New work on fonts at W3C

On Fri, Jun 26, 2009 at 3:22 PM, Brad Kemper <brad.kemper@gmail.com> wrote:

> On Jun 25, 2009, at 3:22 PM, Robert O'Callahan wrote:
>
> So browsers that send incorrect headers would fail to work with linked
>> fonts in this scenario? That seems like something browser vendors might be
>> willing to fix.
>
>
> The big problem is that some firewalls strip Referer headers because they
> don't want to reveal URLs of internal pages. For example, if
> https://intranet.mozilla.com/Orbital_Mind_Control_Lasers.html links to
> http://www.nasa.gov, Mozilla might not want nasa.govadministrators to see
> that URL in their Referer logs. So Referer is not really fixable.
>
>
> So the result would be that the Mozilla intranet would see the NASA pages
> without NASA's embedded fonts, then right?
>

My understanding is that because of that problem, many firewalls are
configured to strip ALL Referer headers. So all users behind such a firewall
would be denied all fonts on servers that do Referer checking.


> For a lot of site authors, this might be acceptable, or they might send you
> a second-choice open license font instead. I wonder if it would be
> acceptable to the font publishers. It would not be that different from sites
> that block de-referred browsers from seeing their images.
>

Sure, it might be acceptable, but default same-origin checks plus CORS are a
better solution: more reliable, more privacy for users, more convenient for
authors.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]