- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sun, 20 Mar 2011 22:13:39 -0700
- To: Chris Lilley <chris@w3.org>
- Cc: WebFonts WG <public-webfonts-wg@w3.org>
I don't think it makes sense to use "at risk" for this. "At risk" is normally used for features that are desirable, but that the WG is not sure will be implemented quickly and widely enough to advance. In this case, it seems to me we have consensus that the spec should change, specifically that we should use FO instead of CORS and that any same-origin restrictions should be defined at the CSS level I object to advancing to CR when the WG has consensus that the spec should be changed, and to using the "at risk" mechanism to push planned changes past CR rather than for its intended purpose. Furthermore, it seems to me that no implementors intend to implement same-origin restrictions as written, applying to WOFF only. Known major implementations intend to either use CORS for @font-face, or not apply same-origin restrictions at all. Advancing a spec that does not reflect the wishes of the WG nor the plans of any implementor does the whole community a disservice. Therefore I object to such advancement. If the WG chooses to advance to CR nonetheless, then I will make this a Formal Objection. Removing mention of CORS and same-origin restrictions from the WOFF spec, or turning them into a non-normative note, indicating the planned work in CSS3 Fonts, would resolve my objections. Regards, Maciej On Mar 3, 2011, at 2:07 PM, Chris Lilley wrote: > Hello WebFonts WG, > > Here is my proposed text for the 'at risk' wording. First as plain text, for email readability then the same thing marked up for the document. Both editorial notes are of the form 'if CSS3 Fonts adds it, we will remove ours". > > > At the end of the 'status of this document' section, add: > > This document identifies two features as being at risk: the default Same Origin Restriction (SOR) and the mechanism used to relax the SOR, Cross Origin Resource Sharing (CORS). > > Split the first paragraph of 'General Requirements' so that SOR and CORS are in separate paragraphs: > > containing document is used. <- split here -> User agents MUST also > > After the new first paragraph, about SOR, add an editorial note: > > Feature at risk: The WebFonts WG believes that the default Same-Origin restriction would be better applied to all fonts referenced from @font-face, rather than one specific format. Therefore, if CSS3 Fonts adds a normative requirement for a Same-Origin restriction,the WebFonts WG will drop it from the WOFF specification and instead refer to CSS3 Fonts. > > After the second paragraph, about CORS, add a second editorial note: > > Feature at risk: The WebFonts WG suspects that the From-Origin header may be a better way to infer a default Same-Origin for fonts, and the same mechanism can also be used to relax the restriction to allow font sharing across domains. Therefore, once CSS3 Fonts mandates a mechanism, WebFonts WG will drop the requirement to use CORS from this specification. > > ===================================================== > > end of SOTD > > <p>This document identifies two features as being > <p> <a href="http://www.w3.org/2005/10/Process-20051014/tr.html#cfi">at risk</a>: the > <a href="#atrisk-SOR">default Same Origin Restriction > (SOR)</a> and the <a href="#atrisk-CORS">mechanism used to relax the SOR, Cross Origin Resource Sharing (CORS)</a>.</p> > > replacement for entire first para of General Requirements > > <p>The primary purpose of the WOFF format is to package fonts linked to Web documents > by means of CSS <tt>@font-face</tt> rules. > <span class="conform ua" id="conform-same-origin">When using such fonts, user agents MUST implement a 'same-origin restriction' > on the downloading of WOFF files > using the same-origin matching algorithm described in the HTML5 specification</span> ([<cite><a href="#ref-HTML5">HTML5</a> <a href="http://www.w3.org/TR/html5/origin-0.html#origin-0">Section 5.3: > Origin</a></cite>]). > <span class="conform ua" id="conform-doc-origin">The origin of the stylesheet containing <tt>@font-face</tt> declarations > is not used when deciding whether a WOFF file is same-origin or not, > only the origin of containing document is used</span>.</p> > > <p class="ednote">Feature at risk: The WebFonts WG believes that the default Same-Origin restriction would be better applied to all fonts referenced from <tt>@font-face</tt>, rather than one specific format. Therefore, if CSS3 Fonts [<cite><a href="#ref-CSS3-Fonts">CSS3-Fonts</a></cite>]adds a normative requirement for a Same-Origin restriction,the WebFonts WG will drop it from the WOFF specification and instead refer to CSS3 Fonts.</p> > > <p><span class="conform ua" id="conform-cors">User agents MUST also implement the ability to relax this restriction > using Cross-Origin Resource Sharing</span> [<cite><a href="#ref-CORS">CORS</a></cite>]. > Thus, sites can explicitly allow cross-site downloading of WOFF files > using the <tt>Access-Control-Allow-Origin</tt> HTTP header.</p> > > <p class="ednote">Feature at risk: The WebFonts WG suspects that the From-Origin header may be a better way to infer a default Same-Origin for fonts, and the same mechanism can also be used to relax the restriction to allow font sharing across domains. Therefore, once CSS3 Fonts [<cite><a href="#ref-CSS3-Fonts">CSS3-Fonts</a></cite>] mandates a mechanism, WebFonts WG will drop the requirement to use CORS from this specification.</p> > > > -- > Chris Lilley Technical Director, Interaction Domain > W3C Graphics Activity Lead, Fonts Activity Lead > Co-Chair, W3C Hypertext CG > Member, CSS, WebFonts, SVG Working Groups > >
Received on Monday, 21 March 2011 05:14:16 UTC