Reputation: 103388
Why do font files have to abide by CORS rules but images don't?
When requesting font files cross-domain you have to ensure that the domain requesting is allowed to access the font file using CORS headers:
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
However this isn't required when requesting images, either for img elements or background-image.
Why do these file types have different security?
Upvotes: 18
Views: 2353
Answers (1)
Reputation: 17932
Browsers enforce CORS on font files because the spec says that they must do so:
For font loads, user agents must use the potentially CORS-enabled fetch method defined by the [FETCH] specification for URL's defined within @font-face rules. When fetching, user agents must use "Anonymous" mode, set the referrer source to the stylesheet's URL and set the origin to the URL of the containing document.
…and notes directly:
The implications of this for authors are that fonts will typically not be loaded cross-origin […]
That doesn't really answer your question though, since the spec itself doesn't give the rationale for why this requirement had to be there.
The linked Firefox thread is one of many discussions, and mentions a general "improved security for new specs" rationale:
There's a larger discussion here of what "new" resource types should default to, whether they should simply default to the same unrestricted linking allowed for images and script or whether they should be restricted by default with the ability to relax via CORS
But it sounds like in this particular case, the driving reason was political. That is, it factored in concerns which were not "purely technical". As one of the implementers summarized:
The primary reason is that font vendors want Web authors to limit use of fonts to their own sites, and Web authors can't easily and reliably do that unless we provide a same-origin restriction by default.
This is corroborated in the bug tracker discussions of other implementers as well, e.g.:
The main effects of [a browser] not doing so, as far as I can see, are sites inadvertently violating their font licenses and authors being confused about the proper way to deploy fonts.
Upvotes: 12
Related Questions
- Enabling CORS on IIS for only Font files
- fonts are blocked in web client cors
- Why do we need the "crossorigin" attribute when preloading font files?
- Typeface and Images Cross-Origin Resource Sharing
- Cross-Origin request warning for google fonts
- Font files are blocked by CORS policy
- Cross Origin issue with loading fonts and SVG in local file
- How to get through CORS policy to load fonts?
- Web Fonts CORS Error, but I set headers
- same origin restriction blocking font from same origin