W3C home > Mailing lists > Public > www-style@w3.org > June 2009

Re: New work on fonts at W3C

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 23 Jun 2009 19:51:51 +0200
To: "Brad Kemper" <brad.kemper@gmail.com>
Cc: "Mikko Rantalainen" <mikko.rantalainen@peda.net>, François REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>, "CSS 3 W3C Group" <www-style@w3.org>
Message-ID: <op.uvznwpbg64w2qv@annevk-t60>
On Tue, 23 Jun 2009 19:00:59 +0200, Brad Kemper <brad.kemper@gmail.com> wrote:
> On Jun 23, 2009, at 8:26 AM, Anne van Kesteren wrote:
>> That is not the only concern, though even if you disagree a feature  
>> that has negative impact when incorrectly used on clients that support  
>> it is certainly considered to be problematic by implementors. The other  
>> concern is that a simple proxy server can circumvent the limitation in  
>> most cases (when credentials are not involved).
>
> That other concern is no more or less an issue with CORS than when it is  
> used as currently specified.

Actually it is, because CORS as currently specified does not give the pretense of providing protection against that.


>>> Besides images, a restrictive header could also be used to prevent
>>> illegal iframing of pages, such as what currently aids phishing attacks
>>> and click-jacking.
>>
>> CORS is not a solution for this. (Also, solutions for this particular  
>> problem are floating around, but there's no agreement yet on what  
>> exactly it should be.)
>
> I don't see why it couldn't be, if it expanded its role just a bit. A  
> page has headers too, and the UA could check those headers before  
> displaying the page in a frame or iframe.

Because an <iframe> wants to know which parent is embedding it rather than who requested the resource. Also, the semantics of the header under discussion is about sharing the contents of the resource, not whether embedding inside a frame is allowed or not.


>> I do not see why fonts ought to get special treatment and cannot be  
>> treated just like images, videos, etc.
>
> Well, exactly. That's why I prefer a general solution such as CORS, to  
> an issue that font creators are having with their property being too  
> freely available. They are the ones that are preventing wide spread  
> adoption right now, but a general solution would help many others with  
> IP they would like to make accessible on a more restricted basis.

Do you have any data to back this up? It seems foremost that @font-face not being widely implemented is what is hindering adoption here.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 23 June 2009 17:52:38 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:19 GMT