Re: [Full-disclosure] Firefox same-origin policy for fonts

[Daniel Veditz <dveditz@xxxxxxxxxx>]

On 9/12/2010 4:43 PM, paul.szabo@xxxxxxxxxxxxx wrote:
>   Firefox's interpretation of the same-origin policy is more strict than
>     most other browsers, and it affects how fonts are loaded with the
>     @font-face CSS directive. ...
>   There is a solution to this, however, if you manage the server ...
>     create a file called .htaccess that contains the following lines: ...
>     Header set Access-Control-Allow-Origin "*"
> 
> That would suggest that this same-origin policy can be defeated by
> settings on the "evil" server: the policy is not enforced, useless.
> Did I misunderstand something?

The same-origin rules on WOFF are about IP rights rather than security.
Unlike images, a page can only use a WOFF font with the cooperation of the
font-hosting site. If it happens to be a licensed font and is being misused
then the foundry knows who to talk to. A site using a font they don't have
a license for will have to host it themselves, they can't hide behind the
link being just text and claim it was the browser that did the infringing.

https://developer.mozilla.org/en/About_WOFF

-Dan Veditz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/