- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 10 Nov 2008 11:53:54 -0500
- To: Brad Kemper <brkemper.comcast@gmail.com>
- CC: www-style@w3.org
Brad Kemper wrote: >> 1) by default, font resources linked with @font-face will be protected >> by access control same origin restrictions ... > Is there any way for the author to turn that off? Or to specify a list > of sites that all belong to the same licensee or are used by the same > licensee? Yes, see the Access Control draft. > For instance, if my main site is www.xyz.com > <http://www.xyz.com>, can I still use it with 123.xzy.com, xyz.com, and > secure.xyz.com, so that I don't have to have 4 different fonts or have > the same font load 4 times without caching between these domains? Yes, if you set up the server that serves up the font correctly. > And what about if my "site" (in the larger sense) is using pages on other > servers that are not part of my domain? Often these outsourced sections > of my site allow me to have a custom CSS file for integration of the > look and feel. How can I get them to use my font, without actually being > able to serve it from their servers? See the Access Control draft. Basically, you just have to send the appropriate Allow HTTP headers with your font. How those headers get there is up to your HTTP server, of course. If you want to use an XML file for configuring this, go for it. Your HTTP server just needs to support that syntax. > But I don't think it would offer any protection. Do the operating > systems need to be updated so that they can read compressed versions of > the fonts? Vladimir's proposal is that the UA would do the decompression, then give the decompressed data to the OS. In fact, it depends on it being a patent violation for the OS. Except, of course, for an OS that's developed by the patent-holder, of course. I find this a cause for some concern. > But if not, then the AU decompresses the font and then what? Saves it to a cache folder in a > form that the OS can understand? That depends on the APIs the OS exposes. Can you pass in TTF data directly as a memory buffer? On many operating systems (Windows not in that set, but most Unices in it) you can create the file, open it, pass someone the file handle, and then unlink the file. As long as the file handle consumer doesn't close it, they and no one else can get at the data. There's a race here, of course, between creation and unlinking, but heck: the data is on disk _somewhere_ if you really want to get it. That's true even with the memory buffer, given paging. But all that is not the threat level we're trying to address here. -Boris
Received on Monday, 10 November 2008 16:55:58 UTC