- From: John Hudson <tiro@tiro.com>
- Date: Mon, 20 Jun 2011 11:01:56 -0700
- To: "Levantovsky, Vladimir" <Vladimir.Levantovsky@MonotypeImaging.com>
- CC: Florian Rivoal <florianr@opera.com>, Glenn Adams <glenn@skynav.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Jonathan Kew <jonathan@jfkew.plus.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, www-font@w3.org
Vladimir wrote: > I believe there may be a need for clarification here: From-Origin (as proposed by Anne) or CORS (as it exists today) are both access control mechanisms - From-Origin offers a generic way for authors to opt-in for origin restrictions for any resource type, while CORS allows to relax (i.e. opt-out from) the restriction that is imposed by default. They are not alternative solutions to same origin restriction - they both complement it by offering a way to relax it. That statement is true *if* the default state is same origin restriction. That clearly is not the case in today's UAs with regard to many resource types. So such a default either must be webfont specific or must involve overhaul of how all resource types are currently handled, which seems to me very unlikely. From-Origin is a resource-agnostic mechanism, so it seems to me that the default same origin status of a particular resource type would have to be defined elsewhere. From-Origin per se is not a mechanism to relax a default same origin restriction or a mechanism to restrict a default cross origin permission: it is a mechanism for an author to define specific restrictions or permissions for individual resources. As such, I think it provides the essential characteristics that we've been seeking in a same origin mechanism for webfonts: it provides an easy and reliable means for authors to comply with license terms. I too would prefer the default status of webfont resources to be same origin restricted, but I think we need to be clear that there are two different sets of issues to be resolved: 1. publication of From-Origin as a W3C recommendation with, I would argue, an obligation that UAs MUST respect From-Origin headers when present; 2. publication of a Webfonts Conformance Specification that defines, among other things, appropriate same origin restrictions for webfonts. It is this second issue around which I can see most debate taking place, specifically with regard to a) whether the default status of webfont resources should be same origin restricted or not, and b) whether this should be a SHOULD or a MUST statement. In other words, I think the From-Origin mechanism itself should not be optional, and I don't see any value in having such a mechanism be optional. But I'm happy to have the debate about whether making the default status of webfont resources same origin restricted may be optional. From-Origin can function as either opt-in or opt-out, and an author wouldn't even need to know which way it is being used for a given resource: all he or she cares about is that the header setting be respected. Having webfonts be, by default, same origin restricted, best solves the case of sites that fail to set a From-Origin header, or that set one that cannot be resolved because of e.g. a typo, in terms of preventing unlicensed crosslinking or info leakage (which is why I prefer it), but directing licensees to set 'From-Origin:same' seems to me desirable regardless of the default as it makes them conscious of protection of their investment. JH
Received on Monday, 20 June 2011 18:02:38 UTC