Should crossorigin=anonymous be the default for preloading fonts?

[tunetheweb]

What is the issue with the HTML Standard?

It's weird that you have to do this for a sameorigin font preload:

<link rel=preload href="/same-origin-font.woff2" as="font" crossorigin>

AFAIK there is a never a use case for preloading a font without this crossorigin attribute (or crossorigin=anonymous which is equivalent).

And if you forget that attribute then the browsers will download the font twice, which is a real footgun for developers (recent example: bluesky-social/social-app#6992).

Should browsers just automatically add crossorigin=anonymous for same-origin font preloads if the developer forgets to include it?

Are there any implications for this (e.g. if same origin resource redirects to a cross origin request)?

See prior discussion here: w3c/preload#32.

CC: @noamr @yoavweiss

[tunetheweb]

Oh just found #10891 when I don't typo my searches for already opened issues 😔

Happy to close this and move the discussion there? Or we can keep that generic and try to resolve this specific case here?

Also some further discussion in #7627

[noamr]

Yea let's fold into #10891. #7627 is definitely relevant, but I think we should revise the conclusion we had there.