W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > April 2010

RE: About using CORS

From: Sylvain Galineau <sylvaing@microsoft.com>
Date: Wed, 28 Apr 2010 02:28:29 +0000
To: John Hudson <tiro@tiro.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
CC: Anne van Kesteren <annevk@opera.com>
Message-ID: <045A765940533D4CA4933A4A7E32597E214484D8@TK5EX14MBXC113.redmond.corp.microsoft.com>
> From: public-webfonts-wg-request@w3.org [mailto:public-webfonts-wg-
> request@w3.org] On Behalf Of John Hudson
> Sent: Tuesday, April 27, 2010 5:56 PM


> It is also worth pointing out, perhaps, that a font isn't analogous to
> an image or a video: its a piece of software, a little machine that
> typesets text. 

WOFF and this WG exist because fonts are not 'like images'. The same 
argument was made to argue that raw fonts is all that should be needed. 
Until the realities of HTTP compression and the aim to maximize web author 
choice - beyond free fonts and dedicated proprietary obfuscation services 
like TypeKit - meant that this just wasn't true in practice. That this is 
the way the code should ideally work is nice, but it wasn't getting us as 
far and as fast as WOFF will.
 
The larger motivation is the broadest choice of fonts for all web authors. 
For a bunch of reasons - some technical, some not - this resulted in a new 
cross-browser format and other related implementation decisions. For CORS 
specifically, I understand the main motivation was security. Fonts include 
small bits of code (opcodes actually) and thus do not have quite the same 
security surface as an image file. Also, fonts have generally not been as 
actively targeted for exploits as other resource formats; it thus seems
reasonable to assume the underlying decoders to be relatively less hardened
than, say, the latest PNG decoder.

That most font licenses require same-origin is an added benefit in support of 
Mozilla's choice that fits well with the broader motive.
Received on Wednesday, 28 April 2010 02:29:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 April 2010 02:29:06 GMT