How does Google get around the cross-site font-usage security in Firefox with their new Webfonts service?

StackOverflow https://stackoverflow.com/questions/4621401

문제

Google offers webfonts - http://code.google.com/webfonts

They work in Firefox, but FF has a security policy to stop cross-site font usage - http://hacks.mozilla.org/2009/06/beautiful-fonts-with-font-face/ (search for Cross-Site Font Usage).

Can anyone hazard a guess how they do this? Do they use 'access control headers'? Is there a way to test for it?

And are there any security concerns with adding access control headers?

Thanks in advance.

도움이 되었습니까?

해결책

Yes, they use access control headers. You can use Live HTTP Headers to verify this:

  1. Go to the page for a font, eg: http://code.google.com/webfonts/family?family=Droid+Sans
  2. Click on "Use this font"
  3. Go to the href in the HTML snippet, eg: http://code.google.com/webfonts/family?family=Droid+Sans
  4. Enable Live HTTP Headers
  5. Go to the src from the CSS that you pened in step 3. This will download the font and you can see that Access-Control-Allow-Origin: * is in the response headers.
라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top