On Jun 25, 2009, at 8:27 PM, Robert O'Callahan wrote: > My understanding is that because of that problem, many firewalls are > configured to strip ALL Referer headers. So all users behind such a > firewall would be denied all fonts on servers that do Referer > checking. > > For a lot of site authors, this might be acceptable, or they might > send you a second-choice open license font instead. I wonder if it > would be acceptable to the font publishers. It would not be that > different from sites that block de-referred browsers from seeing > their images. > > Sure, it might be acceptable, but default same-origin checks plus > CORS are a better solution: more reliable, more privacy for users, > more convenient for authors. I agree that CORS is a better way to exchange that sort of information, but I am less thrilled about the idea of same-origin checks for fonts. If CORS could actually deny access on its own to non- authorized sites for whatever assets we want, instead of having to paint the restrictions with such a broad brush (as Firefox is doing with fonts), it would solve even more problems (such as allowing a site to block access to certain images from sites they don't authorize, but without necessarily blocking entire networks that strip referrer info).Received on Friday, 26 June 2009 03:38:32 UTC
This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:07:37 UTC