On 9/12/2010 4:43 PM, [email protected] wrote: > Firefox's interpretation of the same-origin policy is more strict than > most other browsers, and it affects how fonts are loaded with the > @font-face CSS directive. ... > There is a solution to this, however, if you manage the server ... > create a file called .htaccess that contains the following lines: ... > Header set Access-Control-Allow-Origin "*" > > That would suggest that this same-origin policy can be defeated by > settings on the "evil" server: the policy is not enforced, useless. > Did I misunderstand something?
The same-origin rules on WOFF are about IP rights rather than security. Unlike images, a page can only use a WOFF font with the cooperation of the font-hosting site. If it happens to be a licensed font and is being misused then the foundry knows who to talk to. A site using a font they don't have a license for will have to host it themselves, they can't hide behind the link being just text and claim it was the browser that did the infringing. https://developer.mozilla.org/en/About_WOFF -Dan Veditz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
