Re: [csswg-drafts] [css-fonts-3] [css-fonts-4] Font fetching in anonymous mode makes it impossible to link to fonts behind authentication (#3194) from CSS Meeting Bot via GitHub on 2019-05-22 (public-css-archive@w3.org from May 2019)

From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
Date: Wed, 22 May 2019 18:34:41 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-494879994-1558543021-sysbot+gh@w3.org>

The CSS Working Group just discussed `Font fetching in anonymous mode makes it impossible to link to fonts behind authentication`.

<details><summary>The full IRC log of that discussion</summary>
&lt;AmeliaBR> Topic: Font fetching in anonymous mode makes it impossible to link to fonts behind authentication<br>
&lt;AmeliaBR> github: https://github.com/w3c/csswg-drafts/issues/3194<br>
&lt;AmeliaBR> myles:  Anyone knowledgeable about this? I don't understand it fully.<br>
&lt;AmeliaBR> florian: I can introduce, but I'm not an expert either.<br>
&lt;AmeliaBR> Rossen_: This issue has been open 6 months. Can we at least acknowledge that this is an issue we should be trying to address?<br>
&lt;AmeliaBR> … We need to distinguish whether it's difficult or whether we don't care. Encourage engagement on GitHub.<br>
&lt;AmeliaBR> florian: The font spec requires that when we fetch the font we use anonymous mode for fetching. If the font (along with the rest of the website) requires authentication cookies, then the font is blocked because anonymous makes it look like you're not logged in.<br>
&lt;AmeliaBR> … Did we do this on purpose?<br>
&lt;fantasai> florian: If not can we fix it? Because it's causing problems<br>
&lt;fantasai> AmeliaBR: this ties into discussion on url modifiers and other loading modifiers in CSS<br>
&lt;fantasai> AmeliaBR: I think it's something we can fix given we'll have a way to control cross-origin authentication level<br>
&lt;fantasai> AmeliaBR: We've talked about upgrading image() to use CORS with or without authentication<br>
&lt;fantasai> AmeliaBR: Another way is for fonts and a few others that we do currently say Anonymous<br>
&lt;fantasai> AmeliaBR: a cross-origin modifier can be used to upgrade to fetch with authentication<br>
&lt;fantasai> florian: Something missing to me is use case for putting the fonts behind the login<br>
&lt;fantasai> AmeliaBR: You covered the use case: when your entire website is behind authentication<br>
&lt;fantasai> Rossen_: My ask is that ppl interested in the area please engage with the issue on GH and let's see if we can make some progress there<br>
</details>


-- 
GitHub Notification of comment by css-meeting-bot
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3194#issuecomment-494879994 using your GitHub account

Received on Wednesday, 22 May 2019 18:34:42 UTC