[whatwg] font security on measureText

Anne van Kesteren annevk at annevk.nl
Fri May 3 02:23:54 PDT 2013

On Thu, May 2, 2013 at 10:49 PM, Rik Cabanier <cabanier at gmail.com> wrote:
> Reading the Origin spec [1]:
> For fonts:
> The origin of a downloadable Web font is an alias to the origin of the
> absolute URL used to obtain the font (after any redirects). [CSSFONTS]
> The origin of a locally installed system font is an alias to the origin of
> the Document in which that font is being used.
> Fonts do not have an effective script origin.

1. That assumes tainted cross-origin as a fetching mode.
http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume
it uses CORS.

2. That really ought to be defined by CSS directly.

>> Part of the problem here is that CSS lacks a bunch of text.
> What do you mean by that? Is this underspecified?

CSS should say it fetches using mode CORS. That will result in a
either a response marked CORS-same-origin or a network error. Fonts
can be then be assumed to be safe as there is no way to obtain a
tainted font. (However, it is my understanding not all browsers are
aligned on this at the moment, so you might want to make sure that
happens first.)


More information about the whatwg mailing list