W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > February 2011

Re: Minutes, 16 February 2011 WebFonts WG telcon

From: John Daggett <jdaggett@mozilla.com>
Date: Sun, 20 Feb 2011 17:38:20 -0800 (PST)
To: Maciej Stachowiak <mjs@apple.com>
Cc: Vladimir Levantovsky <Vladimir.Levantovsky@MonotypeImaging.com>, HÃ¥kon Wium Lie <howcome@opera.com>, public-webfonts-wg@w3.org, Sylvain Galineau <sylvaing@microsoft.com>
Message-ID: <1444288020.396512.1298252300144.JavaMail.root@cm-mail03.mozilla.org>
Maciej Stachowiak wrote:

> In fairness, Mozilla's argument isn't based on such an
> assumption, rather, Robert O'Callahan and others argue that
> default-denying embedding is a better model for resource access
> than default-allowing it, and should be changed for "all future
> resource types" (currently fonts are the only known or
> projected example). Mozilla folks seem to feel that applying
> the better model to a subset of types is more valuable than a
> consistent, but slightly suboptimal model. I think that is a
> reasonable argument, but I disagree about the balance of
> tradeoffs.

This is a fair summary. I think it's interesting here to point
out that the HTML5 spec contains recently (2/11) added text that
taints <canvas> elements when cross-origin fonts are used; one of
the conditions for tainting is:

  The element's 2D context's fillText() or strokeText() methods
  are invoked and end up using a font that has an origin that is
  not the same as that of the Document object that owns the
  canvas element. 

  http://dev.w3.org/html5/spec/Overview.html#security-with-canvas-elements

So I think the default for fonts being "consistent" with other
resource types such as images doesn't equate with simplicity,
this is a leaky model that seems to require inconsistencies that
are buried more deeply.

Regards,

John Daggett
Received on Monday, 21 February 2011 01:38:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 21 February 2011 01:38:56 GMT