Re: css3-fonts: should not dictate usage policy with respect to origin

Vladimir wrote:

> I believe there may be a need for clarification here: From-Origin (as proposed by Anne) or CORS (as it exists today) are both access control mechanisms - From-Origin offers a generic way for authors to opt-in for origin restrictions for any resource type, while CORS allows to relax (i.e. opt-out from) the restriction that is imposed by default. They are not alternative solutions to same origin restriction - they both complement it by offering a way to relax it. 

That statement is true *if* the default state is same origin 
restriction. That clearly is not the case in today's UAs with regard to 
many resource types. So such a default either must be webfont specific 
or must involve overhaul of how all resource types are currently 
handled, which seems to me very unlikely.

From-Origin is a resource-agnostic mechanism, so it seems to me that the 
default same origin status of a particular resource type would have to 
be defined elsewhere. From-Origin per se is not a mechanism to relax a 
default same origin restriction or a mechanism to restrict a default 
cross origin permission: it is a mechanism for an author to define 
specific restrictions or permissions for individual resources. As such, 
I think it provides the essential characteristics that we've been 
seeking in a same origin mechanism for webfonts: it provides an easy and 
reliable means for authors to comply with license terms. I too would 
prefer the default status of webfont resources to be same origin 
restricted, but I think we need to be clear that there are two different 
sets of issues to be resolved:

1. publication of From-Origin as a W3C recommendation with, I would 
argue, an obligation that UAs MUST respect From-Origin headers when present;

2. publication of a Webfonts Conformance Specification that defines, 
among other things, appropriate same origin restrictions for webfonts.

It is this second issue around which I can see most debate taking place, 
specifically with regard to a) whether the default status of webfont 
resources should be same origin restricted or not, and b) whether this 
should be a SHOULD or a MUST statement.

In other words, I think the From-Origin mechanism itself should not be 
optional, and I don't see any value in having such a mechanism be 
optional. But I'm happy to have the debate about whether making the 
default status of webfont resources same origin restricted may be optional.

From-Origin can function as either opt-in or opt-out, and an author 
wouldn't even need to know which way it is being used for a given 
resource: all he or she cares about is that the header setting be 
respected. Having webfonts be, by default, same origin restricted, best 
solves the case of sites that fail to set a From-Origin header, or that 
set one that cannot be resolved because of e.g. a typo, in terms of 
preventing unlicensed crosslinking or info leakage (which is why I 
prefer it), but directing licensees to set 'From-Origin:same' seems to 
me desirable regardless of the default as it makes them conscious of 
protection of their investment.

JH

Received on Monday, 20 June 2011 18:02:38 UTC