W3C home > Mailing lists > Public > www-style@w3.org > November 2008

Re: CSS3 @font-face / EOT Fonts - new compromise proposal

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 10 Nov 2008 11:53:54 -0500
Message-ID: <49186722.4080708@mit.edu>
To: Brad Kemper <brkemper.comcast@gmail.com>
CC: www-style@w3.org

Brad Kemper wrote:
>> 1) by default, font resources linked with @font-face will be protected 
>> by access control same origin restrictions
...
> Is there any way for the author to turn that off? Or to specify a list 
> of sites that all belong to the same licensee or are used by the same 
> licensee?

Yes, see the Access Control draft.

> For instance, if my main site is www.xyz.com 
> <http://www.xyz.com>, can I still use it with 123.xzy.com, xyz.com, and 
> secure.xyz.com, so that I don't have to have 4 different fonts or have 
> the same font load 4 times without caching between these domains?

Yes, if you set up the server that serves up the font correctly.

> And what about if my "site" (in the larger sense) is using pages on other 
> servers that are not part of my domain? Often these outsourced sections 
> of my site allow me to have a custom CSS file for integration of the 
> look and feel. How can I get them to use my font, without actually being 
> able to serve it from their servers? 

See the Access Control draft.  Basically, you just have to send the 
appropriate Allow HTTP headers with your font.  How those headers get 
there is up to your HTTP server, of course.  If you want to use an XML 
file for configuring this, go for it.  Your HTTP server just needs to 
support that syntax.

> But I don't think it would offer any protection. Do the operating 
> systems need to be updated so that they can read compressed versions of 
> the fonts?

Vladimir's proposal is that the UA would do the decompression, then give 
the decompressed data to the OS.  In fact, it depends on it being a 
patent violation for the OS.

Except, of course, for an OS that's developed by the patent-holder, of 
course.  I find this a cause for some concern.

> But if not, then the AU decompresses the font and then what? Saves it to a cache folder in a 
> form that the OS can understand?

That depends on the APIs the OS exposes.  Can you pass in TTF data 
directly as a memory buffer?

On many operating systems (Windows not in that set, but most Unices in 
it) you can create the file, open it, pass someone the file handle, and 
then unlink the file.  As long as the file handle consumer doesn't close 
it, they and no one else can get at the data.  There's a race here, of 
course, between creation and unlinking, but heck: the data is on disk 
_somewhere_ if you really want to get it.  That's true even with the 
memory buffer, given paging.

But all that is not the threat level we're trying to address here.

-Boris
Received on Monday, 10 November 2008 16:55:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:55:16 GMT