[webkit-dev] Should we restrict Web Fonts to same-origin by default?

Maciej Stachowiak mjs at apple.com
Tue Jun 23 20:55:16 PDT 2009


On Jun 23, 2009, at 8:47 PM, Darin Fisher wrote:

> On Mon, Jun 22, 2009 at 1:26 PM, Ojan Vafai <ojan at chromium.org> wrote:
> On Mon, Jun 22, 2009 at 12:45 PM, David Hyatt <hyatt at apple.com> wrote:
> On Jun 22, 2009, at 2:38 PM, Maciej Stachowiak wrote:
> Mozilla restricts downloaded fonts to same-origin by default, with  
> the ability for the hosting site to open up access via Access- 
> Control (aka CORS). Apparently this step has the potential to make  
> font foundries more comfortable about using straight up OpenType  
> fonts on the Web, without introducing DRM. Should we follow  
> Mozilla's lead on this?
>
> I see no reason to do this.
>
> I also see harm from doing this. There are many sites (e.g. Google  
> Docs) that serve static content of a different, cookie-less domain  
> for performance reasons. They would be unable to do this for Web  
> Fonts with this restriction.
>
> This is an increasingly common practice as tools like http://code.google.com/speed/page-speed/ 
>  become more ubiquitous.
>
> Ojan
>
>
> Wouldn't Access-Control still support serving the Web Fonts off of a  
> secondary domain?

The main effect would be to change the default behavior. Hotlinking  
would be disabled unless the server opts in via Access-Control. The  
Mozilla folks haven't made a hugely compelling case for this  
restriction though.

  - Maciej

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090623/1f2cba28/attachment.html>


More information about the webkit-dev mailing list