W3C home > Mailing lists > Public > www-style@w3.org > November 2008

RE: CSS3 @font-face / EOT Fonts - new compromise proposal

From: Levantovsky, Vladimir <Vladimir.Levantovsky@MonotypeImaging.com>
Date: Mon, 10 Nov 2008 13:11:56 -0500
Message-ID: <E955AA200CF46842B46F49B0BBB83FF2767B0C@wil-email-01.agfamonotype.org>
To: "Boris Zbarsky" <bzbarsky@MIT.EDU>, "Brad Kemper" <brkemper.comcast@gmail.com>
Cc: <www-style@w3.org>

Hi Boris, 

> -----Original Message-----
> From: www-style-request@w3.org 
> [mailto:www-style-request@w3.org] On Behalf Of Boris Zbarsky
> Sent: Monday, November 10, 2008 11:54 AM
> To: Brad Kemper
> Cc: www-style@w3.org
> Subject: Re: CSS3 @font-face / EOT Fonts - new compromise proposal
> 
> 
> Brad Kemper wrote:
> >> 1) by default, font resources linked with @font-face will be 
> >> protected by access control same origin restrictions
> ...
> > Is there any way for the author to turn that off? Or to 
> specify a list 
> > of sites that all belong to the same licensee or are used 
> by the same 
> > licensee?
> 
> Yes, see the Access Control draft.
> 
> > For instance, if my main site is www.xyz.com 
> <http://www.xyz.com>, can 
> > I still use it with 123.xzy.com, xyz.com, and 
> secure.xyz.com, so that 
> > I don't have to have 4 different fonts or have the same font load 4 
> > times without caching between these domains?
> 
> Yes, if you set up the server that serves up the font correctly.
> 
> > And what about if my "site" (in the larger sense) is using pages on 
> > other servers that are not part of my domain? Often these 
> outsourced 
> > sections of my site allow me to have a custom CSS file for 
> integration 
> > of the look and feel. How can I get them to use my font, without 
> > actually being able to serve it from their servers?
> 
> See the Access Control draft.  Basically, you just have to 
> send the appropriate Allow HTTP headers with your font.  How 
> those headers get there is up to your HTTP server, of course. 
>  If you want to use an XML file for configuring this, go for 
> it.  Your HTTP server just needs to support that syntax.
> 

Thank you for clarifying this.

> > But I don't think it would offer any protection. Do the operating 
> > systems need to be updated so that they can read compressed 
> versions 
> > of the fonts?
> 
> Vladimir's proposal is that the UA would do the 
> decompression, then give the decompressed data to the OS.  In 
> fact, it depends on it being a patent violation for the OS.
> 
> Except, of course, for an OS that's developed by the 
> patent-holder, of course.  I find this a cause for some concern.
> 

The patent holder is Monotype Imaging and we do not develop OSs. As you
pointed out, UA will do the decompression and then just handle the data
to OS. I really don't see any need for OS to implement its own
decompressor unless the same functionality (i.e. font
compression/decompression) is going to be offered for other applications
running on that OS. And, if this is ever the case, they are always
welcome to get your own license.

Best regards,
Vladimir

> > But if not, then the AU decompresses the font and then 
> what? Saves it 
> > to a cache folder in a form that the OS can understand?
> 
> That depends on the APIs the OS exposes.  Can you pass in TTF 
> data directly as a memory buffer?
> 
> On many operating systems (Windows not in that set, but most Unices in
> it) you can create the file, open it, pass someone the file 
> handle, and then unlink the file.  As long as the file handle 
> consumer doesn't close it, they and no one else can get at 
> the data.  There's a race here, of course, between creation 
> and unlinking, but heck: the data is on disk _somewhere_ if 
> you really want to get it.  That's true even with the memory 
> buffer, given paging.
> 
> But all that is not the threat level we're trying to address here.
> 
> -Boris
> 
> 
Received on Monday, 10 November 2008 18:12:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:55:16 GMT