I'm following that thread hoping that some day they will listen to their customers. I'm pretty close to switching to another CDN because of that. Do you happen to have any recommendations?
It would also be nice if Firefox would solve this. If we can load an image from another domain we should be able to load a font from another domain by default.
Though I do see how a font has more potential for malware than an image, the other browser makers apparently don’t see any qualms with cross-domain font loading. Anyone know Firefox’s rationale for doing this differently from the other vendors?
At least they should allow it for root domain to access subdomain's. I put all static files in a subdomain to make them free of cookies, but such restriction makes things difficult.
The reasoning given, that font vendors don't want people linking to their fonts, seems pretty wrong headed. This is just another stupid standard making life harder and hurting productivity for web developers.
I've never managed to fully understand the purpose of any cross-domain rules on the browser. So many can be easily (relatively) circumvented, why waste people's time at all?
This is a ridiculous argument - there are no "good" reasons only a lot of FUD and font vendors who want this as a roundabout form of asset protection. The fonts are accessible by anyone who can use wget and can be copied and hosted anywhere else instead. Useless on all fronts, this just restricts the public web from end users.
Do not forget that the website must link to the asset in question. Why would they link to something they don't trust? Everyone trusts jQuery to not be malicious and everyone has links to cross-origin code running on their site. This is what makes the web a "web". Otherwise you would only be able to link with yourself.
I have the same problem and haven't found a solution that works and is easy to set up and manage. This looks promising, too bad I'm using Django and not RoR.
The combination heroku + S3 is awesome, but throw in fonts and firefox and it turns into an ugly mess.
12 comments
[ 4.5 ms ] story [ 34.3 ms ] threadhttps://forums.aws.amazon.com/thread.jspa?threadID=34281
Though I do see how a font has more potential for malware than an image, the other browser makers apparently don’t see any qualms with cross-domain font loading. Anyone know Firefox’s rationale for doing this differently from the other vendors?
http://dev.w3.org/csswg/css3-fonts/#same-origin-restriction
Some related discussion: https://bugzilla.mozilla.org/show_bug.cgi?id=604421
I've never managed to fully understand the purpose of any cross-domain rules on the browser. So many can be easily (relatively) circumvented, why waste people's time at all?
This is a ridiculous argument - there are no "good" reasons only a lot of FUD and font vendors who want this as a roundabout form of asset protection. The fonts are accessible by anyone who can use wget and can be copied and hosted anywhere else instead. Useless on all fronts, this just restricts the public web from end users.
Do not forget that the website must link to the asset in question. Why would they link to something they don't trust? Everyone trusts jQuery to not be malicious and everyone has links to cross-origin code running on their site. This is what makes the web a "web". Otherwise you would only be able to link with yourself.
The combination heroku + S3 is awesome, but throw in fonts and firefox and it turns into an ugly mess.