[OpenFontLibrary] Access-control, font linking help

[Dave Crossland]

2009/7/14 Erik van Blokland <erik at letterror.com>:
>
> I understand that same-origin support is something that's built in the UA.

AIUI, its built into Safari 4 and Firefox 3.5, and will be in IE9 and
Opera 10, but only FF applies it to fonts at the moment, and its a
unilateral decision for each browser implementor to make for
themselves.

> I presume this is done for specific filetypes, John Daggett [2]: "By default,
> Firefox 3.5 only allows fonts to be loaded for pages served from the same
> site." - correct?

Yes, because other already-common filetypes have not been subject to
cross origin restrictions and forcing them to be would just make new
browsers work less well for users. But filetypes new to the web can be
treated in new ways - fonts - and since cross site scripting
vulnerabilities are a major problem for web security, changing them is
an improvement for users.

> How is CORS / access control implemented in web server apps, spefically:
>        - if a cross-origin request is received by a server app, am I correct
> to think the request is denied *unless* there are specific instructions to
> allow the resource to be served? [3]

Yes, for browsers that check for cross-origin headers for file types
you are concerned about.

>        - is it possible a server app would have access control switched off,
> even though the app supports it

If the app supports it, and the server doesn't send

    Access-Control-Allow-Origin: *

or

    Access-Control-Allow-Origin "http://allowedsite.com"

then the app won't load the resource.

>                -- (i.e. is there a state beyond "allow", "deny" -- perhaps
> "ignored"?)

No, either the request is allowed or denied. Denying equals ignoring.

>                -- what is the expected response from the server in this
> case?

The server sends the file, but the browser doesn't render it, AIUI.

>        - are there server apps which do no implement access control at all?
>                what is the expected response from the server in this case?

All legacy - ie, existing - server apps do not implement access
control, they just send the files when requested to do so.

>        - in case of denied access to resources other than fonts, is there a
> common behaviour in User Agents? ignore? alert the user?

Silent FAIL, I think.

Sorry this isn't very conclusive or authoritative, I haven't looked
deeply into this because, obviously, my concerns are different to
yours and I've only found out what I need to do what I do :-)