W3C home > Mailing lists > Public > www-font@w3.org > April to June 2011

Re: css3-fonts: should not dictate usage policy with respect to origin

From: John Daggett <jdaggett@mozilla.com>
Date: Wed, 29 Jun 2011 10:55:54 -0700 (PDT)
To: Glenn Adams <glenn@skynav.com>
Cc: John Hudson <tiro@tiro.com>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>, liam@w3.org, StyleBeyondthePunchedCard <www-style@w3.org>, public-webfonts-wg@w3.org, www-font@w3.org, "Martin J." <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>
Message-ID: <1025873274.377072.1309370153990.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>

Hi Glenn,

You write that you've proposed several different alternatives to the existing origin restriction requirement in the CSS3 Fonts specification.  However, all of these seem to be to achieve the same effect, that is to make origin restrictions on fonts loading via @font-face rules optional in one form or another, either by changing "must" clauses to "should" clauses or by spinning the requirements out to other specs.

The one thing I would like to understand is whether this is simply because of the specified origin restriction mechanism (i.e. same origin restricted by default using CORS to relax or explicit restriction via the proposed From-Origin header).  Are you objecting to either of these being required behavior or just the former of these two proposals?

I've read through your messages and I'm still not seeing a compelling reason to make the existing requirements optional, if anything recent events emphasize the compelling reasons for this requirement.  Issues like this related to security are even more important for relatively closed environments like set-top boxes where updates are infrequent.

As background, I think it would be useful to read through a description of a recent WebGL security issue below.  The context is slightly different but the issue is the same, especially what is described in the section "Cross-Domain Image Theft":

  http://www.contextis.com/resources/blog/webgl/

My intention is to bring up the specific issue as to whether to make this requirement optional or not during next week's CSS WG call, I think it's best to have a formal resolution on this issue.

Regards,

John Daggett
CSS3 Fonts Editor
Received on Wednesday, 29 June 2011 17:56:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 29 June 2011 17:56:36 GMT