[whatwg] font security on measureText
Anne van Kesteren
annevk at annevk.nl
Fri May 3 02:23:54 PDT 2013
On Thu, May 2, 2013 at 10:49 PM, Rik Cabanier <cabanier at gmail.com> wrote:
> Reading the Origin spec [1]:
>
> For fonts:
>
> The origin of a downloadable Web font is an alias to the origin of the
> absolute URL used to obtain the font (after any redirects). [CSSFONTS]
>
> The origin of a locally installed system font is an alias to the origin of
> the Document in which that font is being used.
>
> Fonts do not have an effective script origin.
1. That assumes tainted cross-origin as a fetching mode.
http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume
it uses CORS.
2. That really ought to be defined by CSS directly.
>> Part of the problem here is that CSS lacks a bunch of text.
>
> What do you mean by that? Is this underspecified?
CSS should say it fetches using mode CORS. That will result in a
either a response marked CORS-same-origin or a network error. Fonts
can be then be assumed to be safe as there is no way to obtain a
tainted font. (However, it is my understanding not all browsers are
aligned on this at the moment, so you might want to make sure that
happens first.)
--
http://annevankesteren.nl/
More information about the whatwg
mailing list