gpt4 book ai didi

cors - 为什么字体文件必须遵守 CORS 规则而图像不需要?

转载 作者:行者123 更新时间:2023-12-04 08:48:09 27 4
gpt4 key购买 nike

跨域请求字体文件时,您必须确保允许请求域使用 CORS header 访问字体文件:

  • 访问控制允许来源
  • 访问控制允许凭据

  • 然而,这在请求图像时不是必需的,无论是对于 img元素或 background-image .

    为什么这些文件类型具有不同的安全性?

    最佳答案

    扩展@Marged 提供的链接,浏览器对字体文件强制执行 CORS,因为 the spec says他们必须这样做:

    For font loads, user agents must use the potentially CORS-enabled fetch method defined by the [FETCH] specification for URL's defined within @font-face rules. When fetching, user agents must use "Anonymous" mode, set the referrer source to the stylesheet's URL and set the origin to the URL of the containing document.



    ...并直接注释:

    The implications of this for authors are that fonts will typically not be loaded cross-origin […]



    但这并不能真正回答您的问题,因为规范本身并没有给出 的理由。为什么这个要求必须存在。

    链接的 Firefox 线程是众多讨论中的一个,并提到了一个通用的 "improved security for new specs"理由:

    There's a larger discussion here of what "new" resource types should default to, whether they should simply default to the same unrestricted linking allowed for images and script or whether they should be restricted by default with the ability to relax via CORS



    但听起来在这种特殊情况下,驱动原因是政治性的。也就是说,它考虑了不是“纯技术性”的问题。作为实现者之一 summarized :

    The primary reason is that font vendors want Web authors to limit use of fonts to their own sites, and Web authors can't easily and reliably do that unless we provide a same-origin restriction by default.



    这在 other implementers 的错误跟踪器讨论中得到了证实。同样,例如:

    The main effects of [a browser] not doing so, as far as I can see, are sites inadvertently violating their font licenses and authors being confused about the proper way to deploy fonts.

    关于cors - 为什么字体文件必须遵守 CORS 规则而图像不需要?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33208474/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com