[webkit-dev] Should we restrict Web Fonts to same-origin by default?
Maciej Stachowiak
mjs at apple.com
Tue Jun 23 20:55:16 PDT 2009
On Jun 23, 2009, at 8:47 PM, Darin Fisher wrote:
> On Mon, Jun 22, 2009 at 1:26 PM, Ojan Vafai <ojan at chromium.org> wrote:
> On Mon, Jun 22, 2009 at 12:45 PM, David Hyatt <hyatt at apple.com> wrote:
> On Jun 22, 2009, at 2:38 PM, Maciej Stachowiak wrote:
> Mozilla restricts downloaded fonts to same-origin by default, with
> the ability for the hosting site to open up access via Access-
> Control (aka CORS). Apparently this step has the potential to make
> font foundries more comfortable about using straight up OpenType
> fonts on the Web, without introducing DRM. Should we follow
> Mozilla's lead on this?
>
> I see no reason to do this.
>
> I also see harm from doing this. There are many sites (e.g. Google
> Docs) that serve static content of a different, cookie-less domain
> for performance reasons. They would be unable to do this for Web
> Fonts with this restriction.
>
> This is an increasingly common practice as tools like http://code.google.com/speed/page-speed/
> become more ubiquitous.
>
> Ojan
>
>
> Wouldn't Access-Control still support serving the Web Fonts off of a
> secondary domain?
The main effect would be to change the default behavior. Hotlinking
would be disabled unless the server opts in via Access-Control. The
Mozilla folks haven't made a hugely compelling case for this
restriction though.
- Maciej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090623/1f2cba28/attachment.html>
More information about the webkit-dev
mailing list