[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4C8DD5FC.9010106@cruzio.com>
Date: Mon, 13 Sep 2010 00:42:52 -0700
From: Daniel Veditz <dveditz@...zio.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox same-origin policy for fonts
On 9/12/2010 4:43 PM, paul.szabo@...ney.edu.au wrote:
> Firefox's interpretation of the same-origin policy is more strict than
> most other browsers, and it affects how fonts are loaded with the
> @font-face CSS directive. ...
> There is a solution to this, however, if you manage the server ...
> create a file called .htaccess that contains the following lines: ...
> Header set Access-Control-Allow-Origin "*"
>
> That would suggest that this same-origin policy can be defeated by
> settings on the "evil" server: the policy is not enforced, useless.
> Did I misunderstand something?
The same-origin rules on WOFF are about IP rights rather than security.
Unlike images, a page can only use a WOFF font with the cooperation of the
font-hosting site. If it happens to be a licensed font and is being misused
then the foundry knows who to talk to. A site using a font they don't have
a license for will have to host it themselves, they can't hide behind the
link being just text and claim it was the browser that did the infringing.
https://developer.mozilla.org/en/About_WOFF
-Dan Veditz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists