Discussion:
Firefox same-origin policy for fonts
(too old to reply)
p***@sydney.edu.au
2010-09-12 23:43:47 UTC
Permalink
One of my users asked me to install MathJax on my server.
Reading installation instructions in
http://www.mathjax.org/resources/docs/?installation.html#notes-about-shared-installations
I came across the following:

... Firefox's same-origin security policy for cross-domain scripting.
Firefox's interpretation of the same-origin policy is more strict than
most other browsers, and it affects how fonts are loaded with the
@font-face CSS directive. ...
There is a solution to this, however, if you manage the server ...
create a file called .htaccess that contains the following lines: ...
Header set Access-Control-Allow-Origin "*"

That would suggest that this same-origin policy can be defeated by
settings on the "evil" server: the policy is not enforced, useless.
Did I misunderstand something?

(Does not really matter to me, am not planning on using that setting,
but am wondering about Firefox workings.)

Thanks,

Paul Szabo ***@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Dan Kaminsky
2010-09-12 23:56:28 UTC
Permalink
The idea is the same as crossdomain.xml in flash -- content can
explicitly opt into being shared across domain boundaries.

Our real problem is that there's no way to know whether content is
generically available to the Internet, or just you because of IP
firewalling / cookies / whatnot. So we have to default to blocking
all cross domain reads, since that other domain might be hosting your
email.
Post by p***@sydney.edu.au
One of my users asked me to install MathJax on my server.
Reading installation instructions in
 http://www.mathjax.org/resources/docs/?installation.html#notes-about-shared-installations
 ... Firefox's same-origin security policy for cross-domain scripting.
 Firefox's interpretation of the same-origin policy is more strict than
   most other browsers, and it affects how fonts are loaded with the
 There is a solution to this, however, if you manage the server ...
   create a file called .htaccess that contains the following lines: ...
   Header set Access-Control-Allow-Origin "*"
That would suggest that this same-origin policy can be defeated by
settings on the "evil" server: the policy is not enforced, useless.
Did I misunderstand something?
(Does not really matter to me, am not planning on using that setting,
but am wondering about Firefox workings.)
Thanks,
School of Mathematics and Statistics   University of Sydney    Australia
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Daniel Veditz
2010-09-13 07:42:52 UTC
Permalink
Post by p***@sydney.edu.au
Firefox's interpretation of the same-origin policy is more strict than
most other browsers, and it affects how fonts are loaded with the
@font-face CSS directive. ...
There is a solution to this, however, if you manage the server ...
create a file called .htaccess that contains the following lines: ...
Header set Access-Control-Allow-Origin "*"
That would suggest that this same-origin policy can be defeated by
settings on the "evil" server: the policy is not enforced, useless.
Did I misunderstand something?
The same-origin rules on WOFF are about IP rights rather than security.
Unlike images, a page can only use a WOFF font with the cooperation of the
font-hosting site. If it happens to be a licensed font and is being misused
then the foundry knows who to talk to. A site using a font they don't have
a license for will have to host it themselves, they can't hide behind the
link being just text and claim it was the browser that did the infringing.

https://developer.mozilla.org/en/About_WOFF

-Dan Veditz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...