Re: [css3-webfonts] Downloaded fonts should not...

On Apr 15, 2008, at 11:16 AM, Patrick Garies wrote:

>> That seems wise, but it still means the exact same (popular) font
>> might end up being downloaded multiple times from every site that
>> uses it.
>
> The same holds true for files in other formats. Why except font  
> formats? For example, when sites use the same popular image or  
> ECMAScript/JavaScript library, users may have to download those  
> files multiple times.

The way that fonts are different from images is that downloading a few  
fonts, in order to have closer fidelity to the design, would be much  
more bandwidth-intensive than the typically small, compressed graphics  
used for similar purpose (the purpose being fidelity to the design,  
such as in backgrounds, etc.). Feel free to correct me if I am wrong  
about comparative file sizes, as I had posed that as a question in my  
previous e-mail and only got arguments in reply.

So, given that the use case for the spec can have such a large  
deleterious effect on bandwidth use, I thought this would be a good  
place to ask if this is being addressed, and proposed an  
implementation detail that might alleviate the potential problem and  
make the CSS feature more useful. I would like to use the feature, but  
I have concerns about it, and I thought it would be OK to discuss the  
technical aspects of those concerns here. I know it strays from the  
technical discussion of the spec itself, but it seems to have a  
bearing on it.

If there was a way to safely share bandwidth-intensive resources  
amongst multiple sites and domains, then JavaScript libraries would  
likely benefit from using a similar mechanism, but that would be  
beyond the scope of this discussion list.

Another way that fonts are different is that the "font-family"  
attribute does not base what it displays upon a URI. As specified, if  
the font is available, it can be used, wherever it came from  
originally. By itself, it does not say where the resource comes from,  
unlike "background-image", for instance. Unlike font-family, you can't  
have an external resource to use in "background-image" without  
specifying where it is to be downloaded from. Further, the @font-face  
spec does not restrict the downloaded font from being available to  
other sites, only from being shared with other applications. Other  
than some descriptors that indicate what values it can be used with,  
@font-face does not restrict its availability except that "downloaded  
fonts should not be made available to other applications". The word  
"applications" is not defined, but I take it to mean software programs  
outside of the UA.

>> Anyone know if Webkit works that way?
>
> You could download a build [1] and run a test. I’m not going to  
> bother right now though since I’m on dial‐up and have to go to  
> work soon.

Yeah, I had to go to work too. I thought someone might know and be  
able to give a quick answer.

>> I would prefer if it could be downloaded once and then used from any
>> page with an @font-face specifying the same font name, provided there
>> could be some sort of quick check that it was the exact same font
>> (digital signatures or something, perhaps).
>
> I don’t think that such a mechanism should be specified via CSS  
> work. I really don’t know how you’d specify such a thing anyway.

Neither does caching, or how permanent a downloaded font is. If the  
spec says the font should not be shared, or if the WG in considering  
the MS idea of allowing the font to be "permanently installed ", then  
the technical options could have a bearing on that decision. It is in  
that spirit that I brought it up for discussion.

The spec says that the font "downloaded fonts should not be made  
available to other applications". You said that it also should not be  
made available to other sites, which is stricter than what the spec  
says. The font-family property picks a font from a list based on what  
is available for each character. It doesn't say what it is that makes  
the font available. I see nothing in the spec that would prevent a UA  
from making a font downloaded via @font-face available to all other  
Web pages **in the same application**. I conceded that there might be  
reason not to. Perhaps that should be written into the spec too. Or  
perhaps there are technical ways in which it could be shared safely  
within the UA, which is what I was trying to explore. Its probably  
worth stating somewhere that merely claiming that the downloaded file  
is Arial is not enough, in and of itself, to start using it on any  
page that specifies Arial in its font-family property.

> Signatures can be forged and you can’t definitively tell if two  
> files are identical except by downloading them (which would defeat  
> the point).

Well if that is true, then I guess my idea wouldn't work then. Are you  
sure it is? I would think that you could query its file size in a  
theoretical new HTTP header to see if it exactly matched, and that  
would be something pretty precise. Font files that are downloaded with  
sizes that don't match their claims are not allowed to be shared  
between pages with different locations for the same supposed file.  
That could be written into the spec.

Maybe there is also a way to encrypt some of the fonts other vitals  
(font metrics and file info) into a small header file for  
verification, using a certificate. Then the encrypted header could be  
compared to the vitals of the font already downloaded to see if it is  
the same, or if it is a different font. That would tell you if the  
fonts were exactly the same and would not need to be re-downloaded. If  
the font vitals did not match what the header claimed, then the font  
file should not be used as a stand-in for pages that claim to have the  
same font at a different location.

>> Which in turn means that I will need a separate version for my https
>> site than for my http site, right? Otherwise the browser might
>> display some sort of warning about mixed security on the page if I
>> have the http URI on the https page, right? Any way around that?
>
> This is a user agent issue. If there’s a problem with it, talk to  
> the UA vendor.

I brought it up to confirm if my understanding was correct, since it  
is relevant to what I was proposing. I was also asking if anyone was a  
aware of a way around that, given that I might know everything there  
is to know. If so, then the CSS technical issue I am trying to solve  
is much less of an issue.

> Assuming that you can’t live with such a warning message for fear  
> that your users will panic and that downloading the font file a  
> second time is unacceptable, you could always scrap use of the font  
> in HTTPS documents. You might also use an HTTPS font file for even  
> HTTP pages, but then, I assume, you would still get the mixed  
> content message and ignorant users might still panic even though  
> their page is /more/ secure. Or you could just not use this feature  
> at all.

Thank you so much for delineating my options. That's not what I was  
looking for though. I thought we were discussing the technical issues  
surrounding the permanence and "sharability" of fonts. Whether or not  
having a font accessed from another site would trigger a security  
alert in the one browser that has such alerts (but won't likely  
support the spec) is certainly relevant to know. It is relevant for  
knowing how big the issue is. It is not so that I can have my own  
personal options explained to me based on your assumptions.


> Also, isn’t this another one of those things that would apply to  
> other file formats? Again, why except font file formats?

explained above.

>> I suppose if IE was the only one to display those annoying alerts
>> (that most people ignore but some people are alarmed by), then it
>> wouldn't matter much, since MS seems to be against supporting font
>> downloads that are not in their EOT format anyway. Or would IE
>> display the alert anyway, even though it wouldn't load the font?I
>> wouldn't presume that IE would suppress the alert when it didn't
>> matter; that would probably make too much sense, and I've long ago
>> given up on IE having reasonable, logical, predictable behavior.
>
> You’d have to ask someone at Microsoft about that.

Did you think this e-mail was off-list, just to you? Knowing that  
someone at Microsoft has actually been reading at least some of this  
thread means that I have asked someone at Microsoft.

Received on Wednesday, 16 April 2008 03:29:43 UTC