W3C home > Mailing lists > Public > www-font@w3.org > April to June 2011

Re: css3-fonts: should not dictate usage policy with respect to origin

From: John Daggett <jdaggett@mozilla.com>
Date: Tue, 21 Jun 2011 20:28:22 -0700 (PDT)
To: Florian Rivoal <florianr@opera.com>
Cc: Jonathan Kew <jonathan@jfkew.plus.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, John Hudson <tiro@tiro.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, www-font@w3.org, Glenn Adams <glenn@skynav.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>
Message-ID: <1499499259.296084.1308713302000.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
Florian Rivoal wrote:

> It seems to me the current proposal has two goals. The first one is
> limit accidental/misguided/unauthorized use of fonts hosted on one
> domain by another one. I believe that this first reason is the one
> that has been mentioned as explaining font creators' enthusiasm for
> web fonts.
> 
> While this may not please font authors, I believe that in this
> context, it makes sense to consider this optional. As far as copy
> protection systems go, this is fairly ineffective, since it doesn't
> prevent you from fetching the font directly yourself by other means
> than the @font-face rule. Since the UA is meant to work on behalf of
> the user, it makes little sense to say that the UA is strictly
> forbidden to do things the user could do on his own.

One of the reasons the same origin restriction for fonts was proposed
was that font vendors were proposing licensing terms that effectively
required referrer checking.  But this is a poor mechanism to prevent
cross-site linking, it's not completely effective.  The same origin
restriction is a simple way of preventing cross-site linking, it's
achieves the same thing as referrer checking without the problems and
the hassle of diddling with one's server.

> Another goal is to prevent information leakage that could be caused
> by including fonts from an intranet into a internet webpage, and
> then somehow pushing the font or information about it out of the
> intranet. This probably provides stronger justification for having a
> mandatory mechanism, since it is not only about acquiring the font,
> but also exposing it to the script environment. But this problem is
> not at all unique to fonts, so a solution that is resource type
> agnostic (and therefore not specified in a font related
> specification) would be best.
> 
> AnneVK's proposal seems to take care of the second goal better than
> a font specific rule, as it can be used on any kind of resource.
> With regards to the first goal, it has the same level of
> expressiveness as the current proposal. The main difference is that
> this is opt-in, while the current proposal is opt-out. But I don't
> think that this is a significant issues, since web servers can
> easily be configured to send "From-Origin: same" by default for the
> relevant file types, turning the default behavior to opt-out again.

The advantage of same origin restriction is that it serves the needs
of the majority of users without any extra work.  Using From-Origin
requires that the majority of users, either because they want to
prevent bandwidth leeching or they need to comply with the licensing
terms for the fonts they use, to diddle with server settings.

I think this boils down to simple practicality vs. purity of essence. 
The proposals aren't really that far apart.

Regards,

John Daggett
Received on Wednesday, 22 June 2011 03:28:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 22 June 2011 03:28:53 GMT