- From: Behdad Esfahbod <behdad@google.com>
- Date: Thu, 10 Feb 2011 16:16:44 -0500
- To: John Daggett <jdaggett@mozilla.com>
- Cc: Håkon Wium Lie <howcome@opera.com>, public-webfonts-wg@w3.org, Anne van Kesteren <annevk@opera.com>
- Message-ID: <AANLkTimzZPSxTV56SkcJt=T-v4MhL7kJnQesg22eijoM@mail.gmail.com>
Given the discussion going on, I wonder, has it been considered to include a SOR flag in the WOFF file itself? That solves both problems in that: 1) proprietary foundries can include the flag and those WOFF fonts will be checked for SOR by the browsers, 2) fonts and non-fonts are not inherently handled differently on the web. The SOR check originates from a explicit flag inside the content. My .02CAD behdad On Wed, Feb 9, 2011 at 11:38 PM, John Daggett <jdaggett@mozilla.com> wrote: > Håkon Wium Lie wrote: > > > Same-origin restrictions (SOR), by way of CORS, is described in > > the current WOFF WD. As we have seen on this list, the use of > > CORS is seeing some resistance in the web community. I believe > > it's in the interest of this WG to try address the concerns > > raised. > > I think this is a confusing way of describing the issue with > same-origin restrictions on fonts. CORS is a mechanism for > *relaxing* a same origin restriction, it's not a mechanism to > *enforce* a same origin restriction. > > I think there are two separate issues here: > > 1. What should be the default load behavior for cross-origin > font requests? > > 2. How can authors modify the default behavior? > > The existing same-origin restriction for WOFF is that by default > cross-origin font requests aren't loaded but that this behavior > can be modified by authors using the CORS mechanism. What Anne > is proposing is that by default cross-origin font requests *are* > loaded, just as images and scripts are loaded. But authors can > restrict cross-site usage of *any* resource type by adding an > appropriate 'From-Origin' header. The default load behavior is > the real issue here, the mechanism for relaxing/tightening this > is more interesting mechanics. > > As both Dave and Sylvain have pointed out, removing the default > load restriction on cross-origin font resources means that > authors would always need to change response header settings to > satisfy common licensing requirements for commercial fonts. If > cross-origin fonts are restricted by default they wouldn't need > to do this. > > Note that it's also possible to have cross-origin font resources > restricted by default *and* allow other types to be restricted > via something like Anne's 'From-Origin' mechanism. I'm quite > sure Anne doesn't like that though. ;) > > It would be good to get a clear response from Apple as to what > their position is and the reasoning behind it. > > Regards, > > John Daggett > > cc: Anne > >
Received on Thursday, 10 February 2011 21:17:35 UTC