Search code examples
securityfont-facewebfontsgoogle-webfonts

How does Google get around the cross-site font-usage security in Firefox with their new Webfonts service?

Google offers webfonts - http://code.google.com/webfonts

They work in Firefox, but FF has a security policy to stop cross-site font usage - http://hacks.mozilla.org/2009/06/beautiful-fonts-with-font-face/ (search for Cross-Site Font Usage).

Can anyone hazard a guess how they do this? Do they use 'access control headers'? Is there a way to test for it?

And are there any security concerns with adding access control headers?

Thanks in advance.

Solution

  • Yes, they use access control headers. You can use Live HTTP Headers to verify this:

    1. Go to the page for a font, eg: http://code.google.com/webfonts/family?family=Droid+Sans
    2. Click on "Use this font"
    3. Go to the href in the HTML snippet, eg: http://code.google.com/webfonts/family?family=Droid+Sans
    4. Enable Live HTTP Headers
    5. Go to the src from the CSS that you pened in step 3. This will download the font and you can see that Access-Control-Allow-Origin: * is in the response headers.