Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Typeface and Images Cross-Origin Resource Sharing

I noticed that typeface are always subject to Cross-Origin Resource Sharing(CORS) and the images are not.

SCENARIO

Website A: On this website, we have a limitation on uploading resources. We can only upload HTML file. All external files are pointing to Website B.

Website B: All resources are uploaded to this website.

Image are okay and working fine but the fonts are not. Below is an example of an error log. I'm curious if is it always like that? like fonts are always subject to CORS and images are not?

Access to Font at 'website-b.com/font.ttf?' from origin 'website-a.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'website-a.com' is therefore not allowed access.

QUESTIONS

  1. Is typeface always subject to CORS policy and why?
  2. Why are images not subject to CORS policy?
  3. If the typeface is subject to CORS, how is it differs from the image in terms of CORS?
like image 687
Fat Bits Avatar asked May 15 '17 03:05

Fat Bits


People also ask

What is Cross-Origin Resource Sharing?

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

Are images affected by CORS?

HTML provides a crossorigin attribute for images that, in combination with an appropriate CORS header, allows images defined by the <img> element that are loaded from foreign origins to be used in a <canvas> as if they had been loaded from the current origin.

What is cross-origin image?

The crossorigin attribute specifies that the img element supports CORS. CORS stands for Cross Origin Resource Sharing. CORS is a standard mechanism to retrieve files from a third party domain or server. If specified, the image file request will be sent with or without credentials.

What does Cross-Origin Resource Sharing CORS enable?

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.


1 Answers

The requirements here are from the Font fetching requirements section in the CSS Fonts spec:

For font loads, user agents must use the potentially CORS-enabled fetch method defined by the [HTML5] specification for URL's defined within @font-face rules. When fetching, user agents must use "Anonymous" mode, set the referrer source to the stylesheet's URL and set the origin to the URL of the containing document.

The implications of this for authors are that fonts will typically not be loaded cross-origin unless authors specifically takes steps to permit cross-origin loads. Sites can explicitly allow cross-site loading of font data using Access-Control-Allow-Origin.

The combination of “potentially CORS-enabled fetch” and the “Anonymous” state is actually to make cross-origin font fetching always CORS-enabled (not just “potentially“)—because the HTML spec says the mode for the “Anonymous” state is always cors:

State Keywords Description
anonymous Anonymous Requests for the element will have their mode set to "cors" and their credentials mode set to "same-origin".

So given all that, here are specific answers to your questions:

  1. Is typeface always subject to CORS policy and why?

Yes, cross-origin font loading with @font-face is always subject to CORS policy, per the spec requirements cited above from the CSS Fonts spec and the HTML spec.

As far as why, there’s a related discussion with this comment:

The primary reason is that font vendors want Web authors to limit use of fonts to their own sites, and Web authors can't easily and reliably do that unless we provide a same-origin restriction

And in the same discussion, this comment:

The same-origin policy applies to pretty much all new resource types on the web. There's only a handful of legacy resource types (images, scripts, css, and ugh, audio/video (barely missed the boat on those)) that let cross-origin pages hotlink without restriction.

This is now a standard security practice for the web.

So then to answer your next question:

  1. Why are images not subject to CORS policy?

Images are in the “handful of legacy resource types” listed in the comment cited above that’ve been part of the Web relatively forever and have always been allowed to be loaded cross-origin. Newer features like fonts—added within the last few years—are different in that when support is added for such features these days, they are restricted to being same-origin by default.

  1. If the typeface is subject to CORS, how is it differs from the image in terms of CORS?

Not sure what you’re asking, but I think the answer is: in terms of CORS, image requests that trigger the same-origin policy are treated no differently than anything requested cross-origin.

What I mean is, if instead of using an img element to load an image, you use XHR or the Fetch API to request it, then your browser is going to apply same-origin restrictions on that image request, just as your browser will for anything else that you request cross-origin.

The difference is just that img element was designed long before we know what we know now, so it has different cross-origin-OK handling in browsers than same-origin-by-default handling we have for newer features these days.

In other words, the handling of img elements is actually the exception to the rule here, while the handling for fonts is consistent with what browsers now use for all newer features.

like image 89
sideshowbarker Avatar answered Sep 27 '22 22:09

sideshowbarker