Full Disclosure mailing list archives
Re: Firefox same-origin policy for fonts
From: Daniel Veditz <dveditz () cruzio com>
Date: Mon, 13 Sep 2010 00:42:52 -0700
On 9/12/2010 4:43 PM, paul.szabo () sydney edu au wrote:
Firefox's interpretation of the same-origin policy is more strict than most other browsers, and it affects how fonts are loaded with the @font-face CSS directive. ... There is a solution to this, however, if you manage the server ... create a file called .htaccess that contains the following lines: ... Header set Access-Control-Allow-Origin "*" That would suggest that this same-origin policy can be defeated by settings on the "evil" server: the policy is not enforced, useless. Did I misunderstand something?
The same-origin rules on WOFF are about IP rights rather than security. Unlike images, a page can only use a WOFF font with the cooperation of the font-hosting site. If it happens to be a licensed font and is being misused then the foundry knows who to talk to. A site using a font they don't have a license for will have to host it themselves, they can't hide behind the link being just text and claim it was the browser that did the infringing. https://developer.mozilla.org/en/About_WOFF -Dan Veditz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox same-origin policy for fonts paul . szabo (Sep 12)
- Re: Firefox same-origin policy for fonts Dan Kaminsky (Sep 12)
- Re: Firefox same-origin policy for fonts Daniel Veditz (Sep 13)