Re: SOR: CORS or From-Origin? from John Hudson on 2011-02-10 (public-webfonts-wg@w3.org from February 2011)

From: John Hudson <tiro@tiro.com>
Date: Thu, 10 Feb 2011 10:18:00 -0800
CC: public-webfonts-wg@w3.org
Message-ID: <4D542BD8.6000900@tiro.com>

Sylvain Galineau wrote:

> [Håkon Wium Lie:]
>> Yes. It's a tradeoff. Slightly more work for font publishers with
>> restrictions -- they would have to add this to their .htaccess file:
>>
>>   <FilesMatch "\.(ttf|TTF|otf|OTF|woff|WOFF)$">
>>   Header set From-Origin same
>>   </FilesMatch>

> That's not work for font publishers, that's work for the guy who
> licensed and paid for the font and now needs to monkey around with
> his HTTP server config to conform to the license. (And assumes he
> has access to .htaccess, which is not always the case e.g. small 
> business using a hosting service). Never mind the skills to do it
> correctly and verify that the font is indeed same-origin after the
> change. This also has to be done for every server that may serve 
> the font for this domain etc.  

I understand the purpose of SOR in WOFF to be to make it very easy for 
font licensees to conform to the terms of the font license. We want 
fonts to be easy to use on the Web, not only by IT professionals but 
also by all the people who just want to create a website. Fonts on the 
Web should be as easy to use from a document creator perspective as 
fonts in desktop publishing, presuming that this is the kind of 
widespread, media-transforming use of webfonts we all want to see. At 
the same time, font licensing for the Web should be as worry free from 
both the user and font vendor perspectives as it can be, hence the 
default behaviour should be that which requires least work from the user 
to conform to reasonable license terms.

I understand Anne's objection to be that, having implemented SOR as 
currently spec'd in the WOFF format, CORS would then be required to 
relax that restriction and that this is using CORS for a purpose other 
than that for which it might have been originally intended or currently 
spec'd. Leaving aside that I consider protecting a user's investment in 
typographic assets to be  as sound a reason for SOR and CORS as 
protecting their data, isn't this what we do with technologies: discover 
practical new uses for them. If we didn't, electricity would still be 
just a quack medical tool for invigorating the vital essences.

JH

Received on Thursday, 10 February 2011 18:18:38 UTC