- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 3 Apr 2015 17:57:00 +0200
- To: Zack Weinberg <zackw@panix.com>
- Cc: "www-style@w3.org" <www-style@w3.org>
On Fri, Apr 3, 2015 at 5:53 PM, Zack Weinberg <zackw@panix.com> wrote:
> I researched this back in 2011
> <https://www.owlfolio.org/htmletc/strawman-mime-type-for-fonts/>. At
> that time the only officially registered MIME type for a font format
> was "application/font-tdpfr", corresponding to an obsolete format that
> has never been implemented by any browser to my knowledge. The IANA
> registry now also includes application/font-sfnt and
> application/font-woff, but I doubt either of them has significant
> traction. In 2011, types being used (completely unofficially) for
> fonts included application/octet-stream, application/ttf,
> application/otf, application/truetype, application/opentype,
> application/woff, application/eot, all of the above with an x-prefix,
> and all of the above in font/ instead of application/, with or without
> the x-. I did not check whether Content-Type headers that specified a
> particular format were accurate.
>
> All the font formats that browsers actually support are unambiguously
> identifiable by their in-band metadata ("magic numbers" and the like)
> and it is therefore my opinion that, like images, font formats SHOULD
> be identified using that metadata, *not* any out-of-band declaration
> (in other words, browsers SHOULD continue to ignore the MIME type for
> fonts).
Sure, and I have done this when we introduced @font-face (and failed
to register font/ :-/), but that's not really the question. E.g. we
don't check MIME types for <script> either, but with
X-Content-Type-Options: nosniff we do. So the question is what is the
list of MIME types we want to whitelist for font use when that header
is specified.
--
https://annevankesteren.nl/
Received on Friday, 3 April 2015 15:57:24 UTC