
Dear Firefox, Fucking fix it already - jdorfman
https://www.change.org/petitions/mozilla-firefox-fix-bug-475891
======
mbrubeck
I'm confused. This petition talks about cross-domain fonts, but it links to
[http://bugzil.la/475891](http://bugzil.la/475891) which has nothing to do
with cross-domain issues. (It's about using different fonts for different
Unicode characters.) Did you mean to link to
[http://bugzil.la/604421](http://bugzil.la/604421) instead?

Note that IE also applies same-origin restrictions to web fonts, and in fact
this is required by the CSS Fonts standard [1], although this has been a
somewhat contentious part of the spec [2]. The Blink team has discussed
implementing this part of the spec too; Google's Tab Atkins believes that any
new resource linking mechanism added to the web platform should be subject to
same-origin restrictions by default [3] because this gives the platform better
security characteristics.

The publisher of a web font can enable cross-origin use in all browsers by
sending CORS headers [4].

[1] [http://www.w3.org/TR/css-fonts-3/#same-origin-
restriction](http://www.w3.org/TR/css-fonts-3/#same-origin-restriction)

[2] [http://lists.w3.org/Archives/Public/www-
style/2011Jun/thread...](http://lists.w3.org/Archives/Public/www-
style/2011Jun/thread.html#msg476)

[3] [https://groups.google.com/a/chromium.org/d/msg/blink-
dev/TT9...](https://groups.google.com/a/chromium.org/d/msg/blink-
dev/TT9D5-Zfnzw/UKMHYjVe3scJ)

[4] [https://developer.mozilla.org/en-
US/docs/HTTP/Access_control...](https://developer.mozilla.org/en-
US/docs/HTTP/Access_control_CORS)

~~~
jdorfman
Updated, thanks for pointing that out.

"The publisher of a web font can enable cross-origin use in all browsers by
sending CORS headers."

I agree they can, but why do we need to add "Access-Control-Allow-Origin"
header? What is the security risk? I am not being facetious, I really want to
know.

~~~
mbrubeck
So, you fixed the bug number, but what about my other points? Why single out
Firefox when IE9+ has the same behavior and that behavior is required by the
spec? Why don't you (or your CDN) use CORS? Why do you say this is "breaking
the web" when thousands of sites are using cross-domain web fonts just fine in
Firefox and IE (for example, any site that uses Google Web Fonts)?

 _Edit: I see you added more to your comment now._

There are a few reasons to require CORS for cross-domain font loads. One is so
that you can use fonts that have single-site licenses in a way that satisfies
the licensor, by not allowing other sites to use the font too without your
authorization. Another is to prevent unintended data leaks where a malicious
site can deduce things about a user based on whether that user can load a font
from a different site, or based on the contents of that font. This isn't about
a known attack, but a class of attack that we know from experience is likely
to crop up in the future for any type of cross-origin resource load that we
allow.

~~~
jdorfman
"Why single out Firefox when IE9+ has the same behavior and that behavior is
required by the spec?"

I don't expect Microsoft to listen to their customers/users. I used to think
Mozilla did but apparently not.

~~~
mbrubeck
Hey, I'm part of Mozilla and I spent a significant part of my day researching
this spec, and asking questions and listening to try and find out why your use
case wasn't being met. Usually we prefer well-reasoned bug reports or emails
as apposed to "Fucking fix it" on the HN front page, but we'll take feedback
where we find it. :)

Also note that if you can't convince Microsoft to change this as well, then it
doesn't matter too much what Mozilla does (at least for sites that need to
support IE).

------
dbaron
So we (Mozilla) are following the spec, which says what it does as the result
of discussion/negotiation over a period of at least 4 years (roughly
2007-2011) involving browser makers and font foundries, both in terms of what
browsers were willing to implement (not wanting something DRM-like to protect
fonts) but what would lead to more font foundries being willing to license
commercial fonts for use on the Web. So following the spec here isn't about
blindly honoring some piece of paper; it's about honoring the result of a
negotiation process that we participated in. WebKit unilaterally ignored this
agreement, though it sounds like Blink may well change to honoring it.

Many (but not all) of us believe that same-origin by default is also the right
thing for security, that it should be the default for new types of resource
linking on the Web, and that not having same origin restrictions for things
like images was a pretty serious mistake that we're still paying the security
costs of (for example, with canvas image tainting).

~~~
jdorfman
@dbaron, I appreciate your insight. Makes sense even though, _at this time_ ,
I do not fully agree with the spec. I guess time will tell.

------
drakaal
Google Chrome let's you do something Unsafe that none of the other browsers
let you do, and you want the safe browser broken so it does the dangerous
thing? This doesn't seem like a good idea to me.

You can use fonts from places that let you use them. But this offers both a
minimal copy/hot link protection, so that I can't just steal a font from
somewhere, or use someone else's hosted font unless they let me.

I don't think Firefox should "fix" this as it seems to be a good decision for
preventing all sorts of bad things.

------
__david__
I assume there is not an arbitrary reason for this--does Mozilla consider
fonts to be dangerous (security-wise)?

Also, do you want to load the fonts across domains so they can be hosted on
CDNs?

Also, this is a terrible, non-descriptive title.

------
gcb0
this is probably astroturfing by google. Who provides both a site with free
fonts and a browser without those restrictions. Plus we know they have use for
those random resource requests since they also provide 8.8.8.8 and other
similar cdn for js libraries. Also they killed 3+ attempts at disbling
referrer from the chromium comunity.

or i am just paranoid.

~~~
mbrubeck
Google Web Fonts uses CORS, so it works cross-origin in Firefox and IE.

~~~
gcb0
exactly. did you even read my paranoid theory? :)

all they want is that FF and IE be as permissive as Chrome so they can track
everyone via cross-domain font requests. As they already do with DNS and free
CDN for js libs.

~~~
mbrubeck
But my point is they can already do this. They don't need IE or Firefox to
change anything because _IE and Firefox already support cross-domain fonts._

