Hi all,
I'm seeking some clarification on CORS / access control / same-origin
relating to fonts. I'm digging through the access-control spec[1], but
this is foreign territory to me. I'm hoping someone here more familiar
with the spec is willing to help.
My questions:
I understand that same-origin support is something that's built in the
UA. I presume this is done for specific filetypes, John Daggett [2]:
"By default, Firefox 3.5 only allows fonts to be loaded for pages
served from the same site." - correct?
How is CORS / access control implemented in web server apps, spefically:
- if a cross-origin request is received by a server app, am I correct
to think the request is denied *unless* there are specific
instructions to allow the resource to be served? [3]
- is it possible a server app would have access control switched off,
even though the app supports it
-- (i.e. is there a state beyond "allow", "deny" -- perhaps
"ignored"?)
-- what is the expected response from the server in this case?
- are there server apps which do no implement access control at all?
what is the expected response from the server in this case?
- in case of denied access to resources other than fonts, is there a
common behaviour in User Agents? ignore? alert the user?
Thanks for any help,
Erik
[1] http://www.w3.org/TR/access-control/#origin-header
[2] "Cross-Site Font Usage" at
http://hacks.mozilla.org/2009/06/beautiful-fonts-with-font-face/
[3] "Allowing other sites using Cross-Origin Resource Sharing" on
http://openfontlibrary.org/wiki/Web_Font_linking_and_Cross-Origin_Resource_Sharing
