<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><span class="vcard"><a class="email" href="mailto:stein@adobe.com" title="Bram Stein <stein@adobe.com>"> <span class="fn">Bram Stein</span></a>
</span> changed
<a class="bz_bug_link
bz_status_NEW "
title="NEW - Downloadable font loads should be subject to CORS"
href="https://bugs.webkit.org/show_bug.cgi?id=86817">bug 86817</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>stein@adobe.com
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Downloadable font loads should be subject to CORS"
href="https://bugs.webkit.org/show_bug.cgi?id=86817#c7">Comment # 7</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Downloadable font loads should be subject to CORS"
href="https://bugs.webkit.org/show_bug.cgi?id=86817">bug 86817</a>
from <span class="vcard"><a class="email" href="mailto:stein@adobe.com" title="Bram Stein <stein@adobe.com>"> <span class="fn">Bram Stein</span></a>
</span></b>
<pre>It would be great if Safari/WebKit starts enforcing the same-origin policy for web fonts. At Adobe Typekit we're currently using referrer header matching to prevent accidental misuse of the fonts we serve to our customers. This is rather heavy handed and doesn't work in some of the use-cases we would like to support (dynamically created iframes, browsers in privacy mode, etc). We would very much like to start using CORS headers on our web fonts instead.
Based on our research (<a href="http://stateofwebtype.com/#CORS">http://stateofwebtype.com/#CORS</a>) Safari is the only major browser that does not enforce the same-origin policy for web fonts. We would appreciate it very much if Safari/WebKit could reconsider their position on this issue.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>