- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Oct 2020 16:01:19 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `Spec should not allow UAs to ignore user-installed fonts`, and agreed to the following: * `RESOLVED: Add explanatory text about tradeoffs on blocking local fonts, particularly wrt i18n considerations` <details><summary>The full IRC log of that discussion</summary> <fantasai> Topic: Spec should not allow UAs to ignore user-installed fonts<br> <r12a> https://github.com/w3c/csswg-drafts/issues/5421<br> <fantasai> github: https://github.com/w3c/csswg-drafts/issues/5421<br> <fantasai> r12a: Chris says I'm arguing quite well, not sure I am, but I do have this bad feeling about not allowing people to use system fonts at all<br> <fantasai> r12a: And that feeling gets worse when dealing with minority scripts, which I do every day<br> <chris> locally installed fonts<br> <fantasai> r12a: If there's a mechanism to allow people to use particular system fonts, that's not so bad<br> <myles> q+<br> <fantasai> r12a: But it's coming across as a blanket refusal to allow any system fonts, and that worries me<br> <fantasai> r12a: Similar topic in severa threads at the moment<br> <fantasai> r12a: Also worried people might assume that, e.g. if you have a Noto font on your system, then you're fine for Javanese or Tai Tam, or whatever, and that's not the case.<br> <fantasai> r12a: ? very substantially changed the font as of this September<br> <chris> s/?/Google<br> <Rossen_> q?<br> <florian> s/?/adlam/<br> <fantasai> r12a: These things happen, people need access to fonts immediately, even if not system fonts<br> <fantasai> r12a: Particularly for people developing stuff in localhost or file-based URIs<br> <fantasai> r12a: Having to create a webfont just to test the font and see what it looks like is very awkward<br> <fantasai> r12a: I don't think local files should be covered<br> <fantasai> r12a: So those are some of my thoughts<br> <Rossen_> ack myles<br> <fantasai> s/allow any system fonts/any local non-system fonts/<br> <fantasai> myles: I think we're more in agreement than not, actually<br> <fantasai> s/particular system/particular local/<br> <fantasai> myles: I want to bring up some subtlety<br> <fantasai> myles: Allowing user-installed fonts is good in some cases and bad in others<br> <fantasai> myles: Spectrum, you could allow all fonts all the time, or disallow all user-installed fonts all the time<br> <fantasai> myles: But examples<br> <chris> xfq not exactly, by local fonts we mean both<br> <fantasai> myles: Maybe you're in a locale, and there's a font users install, everyone has that font and it's what allows that script to be rendered<br> <fantasai> myles: That's not a case where fingerprinting is such a big problem<br> <r12a> q+<br> <fantasai> myles: What places are fonts allowed vs not allowed?<br> <fantasai> myles: User agents and users can have the ability to pick where in the middle of those things they want to fall<br> <chris> see https://drafts.csswg.org/css-fonts-4/#preinstalled-and-user-installed-fonts<br> <fantasai> myles: Right now Safari has picked a place in that specture. Other browsers have picked other places along that spectrum.<br> <fantasai> myles: What I think spec should say isn't that one extreme is right or other is right<br> <fantasai> myles: Spec should say there are pros and cons to places on this spectrum, and UA has to pick the best place it can<br> <fantasai> myles: That's why I picked the word "may", which indicates UA-discretion<br> <fantasai> myles: Wanted to bring up two other points<br> <chris> local() is a way to access local fonts so that a) you can add descriptors and b) you can rename them and c) add them into composite fonts<br> <fantasai> myles: Earlier this week, Open UI meeting where I brought up idea of a font picker that would explicitly allow users to punch through this policy<br> <chris> q+<br> <fantasai> myles: allow particular user font on the web page, user can pick the font and it becomes available to the web page<br> <xfq> https://www.w3.org/TR/2020/NOTE-PFE-evaluation-20201015/<br> <fantasai> myles: Also workin W3C Web Fonts WG, want to allow fonts to download only the parts of the font the browser needs<br> <fantasai> myles: So makes the web fonts more usable in more contexts<br> <fantasai> myles: There are other efforts in the user-installed fonts world, trying to find more specific places on the spectrum, different from allow everything vs disallow everythng<br> <fantasai> myles: This is a place where users and UAs can pick what makes sense for them<br> <Rossen_> ack myles<br> <fantasai> r12a: Maybe part of the problem is that we're not discussing things in the middle much, so this is interesting<br> <fantasai> r12a: I also wanted to say that, you'd mentioned if there's only one font available, then that's not a problem for fingerprinting<br> <fantasai> r12a: There was a key proposal<br> <fantasai> r12a: One key issue, if you are localized in Burma and using Ryohinga font and that's the only on your system<br> <fantasai> r12a: You are more identifiable<br> <myles> q++<br> <chris> yes, identification of ethnic minorities<br> <myles> qq+<br> <fantasai> r12a: than you were before when you had a larger list of fonts available<br> <Rossen_> ack r12a<br> <Rossen_> ack +<br> <fantasai> r12a: Big problem for me remains though, Safari, I can't use it anymore for the stuff that I do<br> <fantasai> r12a: I can't use my iPad or my iPhone either<br> <fantasai> r12a: Because there's no escape hatch at the moment<br> <fantasai> r12a: That's why I'm worried about this "may".<br> <fantasai> r12a: You can stop everyone from using user-defined fonts if you want to, seems a bit dangerous to me<br> <fantasai> r12a: People likely to do that without understanding the consequences<br> <Rossen_> ack myles<br> <Zakim> myles, you wanted to react to myles<br> <fantasai> myles: Everybody may, "everybody" doesn't appear in the spec<br> <fantasai> myles: Maybe we can solve the issue by putting more explanatory text<br> <fantasai> myles: Instructions helping UAs pick a good place for themselves on the spectrum<br> <fantasai> myles: Want to address case of user with only one font intstalled on the system<br> <fantasai> myles: case was actually, only one font for a script, and all users of that script have that font installed<br> <florian> q+<br> <fantasai> myles: For that user, things like Accent-Language header would already expose info<br> <fantasai> myles: Main point is, anyway, there's a spectrum<br> <chris> https://drafts.csswg.org/css-fonts-4/#font-taxonomy<br> <fantasai> chris: First, since confusion of terms<br> <fantasai> chris: system font vs local font<br> <Rossen_> ack chris<br> <fantasai> chris: I hear r12a saying shouldn't do something unless understand the consequences, and myles saying ...<br> <fantasai> chris: What about saying SHOULD NOT<br> <addison> q+<br> <fantasai> myles: SHOULD NOT implies directionality, and we should not use SHOULD NOT because one side of this spectrum isn't objectively better than the other<br> <Rossen_> ack florian<br> <fantasai> florian: I'm hearing Myles's point.<br> <astearns> q+<br> <fantasai> florian: I'm a bit uncomfortable<br> <myles> q+<br> <fantasai> florian: When Safari stopped supporting local fonts, it stopped passing a large part of WPT tests, because used local version of Ahem<br> <fantasai> florian: We have access to the source, so we fixed that<br> <fantasai> florian: but for awhile everyone using "Ahemese" could not read any pages<br> <chris> Yes there is a lot of existing, old content that will break<br> <fantasai> florian: r12a couldn't work on stuff<br> <addison> q-<br> <fantasai> florian: ..<br> <Rossen_> ack myles<br> <fantasai> florian: If r12a can't work, minority groups can't use the internet<br> <fantasai> myles: Safari isn't done with this problem<br> <fantasai> myles: If you want to use a user-installed font in Safari, it's possible. You turn the font into a base-64 URL and put it into your user style sheet<br> <fantasai> r12a: That works if you're a content developer, but not as a user<br> <chris> qq+<br> <fantasai> myles: It does work for users, it's in the Safari preferences<br> <Rossen_> ack chris<br> <Zakim> chris, you wanted to react to myles<br> <fantasai> chris: Myles, they could also download the source of every web page and edit it, but that's not a real solution<br> <fantasai> astearns: One thing that comes to mind is, we had this one line in the spec<br> <fantasai> astearns: And it raised concerns about its effects<br> <Rossen_> ack astearns<br> <fantasai> astearns: We've discussed ways of ameliorating those effects, by having a font picker, by having some way to opt in<br> <fantasai> astearns: Can we agree that line of text, without a way to work around it, was premature?<br> <fantasai> astearns: From standards perspective we should opt-in scenarios before allowing this<br> <fantasai> astearns: You MAY do this IF you allow these other ways of opting back in<br> <chris> that would work for me<br> <addison> +1 for alan's comment<br> <Rossen_> ack fantasai<br> <fantasai> fantasai: Couldn't Safari have a UI that allows the user to opt into a font or set of fonts?<br> <fantasai> fantasai: Because that would solve the minority scripts problem<br> <fantasai> fantasai: It's unlikely that Safari would know all the fonts that are critical in such a way, but the user could know<br> <fantasai> myles: That's a possibility<br> <fantasai> myles: Responding to Alan's point, if MAY was premature, if we take it out, it would be undefined<br> <fantasai> myles: Because this is such an open-ended space, I don't think we can say "you should do this if XYZ", because many places in the spectrum<br> <fantasai> myles: Maybe come to happy medium by adding explanatory text, and allow UAs to pick for themselves<br> <chris> User agents that wish to prioritize privacy over internationalization may choose to ... provided they provide a means to ...<br> <florian> q+<br> <fantasai> astearns: If we have this, shoudl have some language saying that "UAs may do this, but there must be a method to opt back into loading local fonts"<br> <fantasai> r12a: plus pros and cons<br> <fantasai> Rossen_: Can we resolve anything ?<br> <fantasai> myles: Can probably resolve on adding explanatory text<br> <fantasai> RESOLVED: Add explanatory text about tradeoffs on blocking local fonts, particularly wrt i18n considerations<br> <fantasai> florian: I would like this to be normative in the "you may ignore these things as long as you provide an opt-out"<br> <fantasai> florian: UAs are user agents, and could pick a different "agent"<br> <fantasai> florian: But on some operating systems, you don't actually have a choice<br> <fantasai> florian: of user agent<br> <fantasai> florian: And if that UA doesn't want to allow an opt-out, then you're stuck<br> <fantasai> florian: Can't force anybody's hand, but I think it would be a better balance<br> <fantasai> chris: I agree<br> <fantasai> +1 from fantasai<br> <Rossen_> ack florian<br> <r12a> +1 too<br> <Rossen_> ack fantasai<br> <addison> +1 from me;<br> <chris> Some of this can go in the security & privacy appendic. and some in the internationalization considerations section<br> <fantasai> fantasai: Agree to require an opt-out, so that the user can opt into using a font on a website so that they can read it<br> <chris> but the normative part needs to be in the main body of the spec<br> <fantasai> myles: We have the user agent stylesheet hack<br> <fantasai> florian: It counts, you're not blatantly violating the spec, but clearly not in line with the spirit<br> <myles> s/hack/option/<br> <fantasai> Rossen_: If this is something we need more time on, maybe we can find another slot for the joint group?<br> <fantasai> Rossen_: a few more font issues as well<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5421#issuecomment-709425330 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 15 October 2020 16:01:21 UTC