[whatwg] font security on measureText

Rik Cabanier cabanier at gmail.com
Mon May 6 14:25:42 PDT 2013


On Sat, May 4, 2013 at 1:16 AM, Anne van Kesteren <annevk at annevk.nl> wrote:

> On Fri, May 3, 2013 at 6:25 PM, Rik Cabanier <cabanier at gmail.com> wrote:
> > On Fri, May 3, 2013 at 2:23 AM, Anne van Kesteren <annevk at annevk.nl>
> wrote:
> >> 1. That assumes tainted cross-origin as a fetching mode.
> >> http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume
> >> it uses CORS.
> >
> > What do you mean by 'you'?
> > The link in Canvas from the WhatWG spec is to the above section
>
> What I'm saying is that the section you're referring to is written
> from the perspective of using tainted cross-origin as mode for font
> fetching. Which is incorrect per the CSS fonts specification as per
> that specification fonts will always be CORS-same-origin with the
> document.
>
>
> > OK. So it seems that the canvas spec should NOT say that the font has to
> be
> > the same origin.
> > It should refer to CSS portion that describes this fetching or be silent.
>
> It would not have to say anything.
>

Thanks.
I logged https://www.w3.org/Bugs/Public/show_bug.cgi?id=21943



More information about the whatwg mailing list