[whatwg] font security on measureText

Anne van Kesteren annevk at annevk.nl
Sat May 4 01:16:38 PDT 2013

On Fri, May 3, 2013 at 6:25 PM, Rik Cabanier <cabanier at gmail.com> wrote:
> On Fri, May 3, 2013 at 2:23 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
>> 1. That assumes tainted cross-origin as a fetching mode.
>> http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume
>> it uses CORS.
> What do you mean by 'you'?
> The link in Canvas from the WhatWG spec is to the above section

What I'm saying is that the section you're referring to is written
from the perspective of using tainted cross-origin as mode for font
fetching. Which is incorrect per the CSS fonts specification as per
that specification fonts will always be CORS-same-origin with the

> OK. So it seems that the canvas spec should NOT say that the font has to be
> the same origin.
> It should refer to CSS portion that describes this fetching or be silent.

It would not have to say anything.


More information about the whatwg mailing list