Re: [css3-webfonts] Downloaded fonts should not...

On 12/04/2008, Ambrose Li <ambrose.li@gmail.com> wrote:
>
> IMHO these are still different. When you cache, you likely assume that
>  - you have a cache limit, and

Safari, and I expect all others, caches fonts as they are used for
rendering by the UA. The rendering process ought to sanity check the
font adequately. This happens well before the UA can present a dialog
for "Save Font As," and at that point it is a simple call to the
standard OS API for file copying. If the file is too large for the
cache, it will be discarded, and the dialog will not be displayed.

Perhaps an EOT could be crafted to exploit a decompression/conversion
process to an installable format done by the UA when users click on
"Save Font As." (One can imagine that feature being implemented by UAs
for fonts that encourage installation.)

I also suppose that exploits for the text rendering systems not
detected by UA sanity checking could hide from virus checkers because
of the obfuscation inherent in the format.

>  Unless the standard will specify otherwise, this will differ from saving images
>  by requiring no user consent on the save,

I have not heard anyone suggest that being able to install the font
equates to silently installing the font automatically. On what do you
base this understanding?

>  > >  2. A licensing issue. A font may or may not be allowed to be
>  > >  installed permanently. It all depends upon the EULA. The safest thing
>  > >  for UAs to do is to temporarily install the font for use with the
>  > >  page using a memory only install.
>  >
>  >  As far as I can tell, this offers no benefit to anyone but copyright
>  > holders; it hinders the UA for no practical benefit for the user or site
>  > author.
>
> Machine-readable EULA's are also known to be
> sometimes wrong and cause problems, so I also am seriously
> suspicious of its usefulness.

Could you be more specific about this? What platform? When?

-- 
Regards,
Dave.

Received on Monday, 14 April 2008 22:01:50 UTC