- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Wed, 17 Nov 2021 17:20:57 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `Local Font Access Limitations`. <details><summary>The full IRC log of that discussion</summary> <fantasai> Topic: Local Font Access Limitations<br> <fantasai> github: https://github.com/w3c/csswg-drafts/issues/4497<br> <fantasai> astearns: Topic is about local fonts needed for i18n particularly<br> <fantasai> [side discussion about positioning of Agenda Item 9]<br> <fantasai> smfr: Myles isn't here<br> <fantasai> s/here/here, probably should be here/<br> <fantasai> astearns: Other browsers than Safari probably need to sign on for whatever local font access we decide on here<br> <fantasai> s/here/here also/<br> <fantasai> chris: It would be good to get some movement on this.<br> <fantasai> chris: Felipe made a good suggestion, and thumbs up in thread<br> <fantasai> chris: Richard confirmed he liked the suggestion<br> <fantasai> chris: Maybe we can resolve to accept the suggestion, and then work out the details in the spec<br> <fantasai> chris: The general principle seems sound<br> <fantasai> Felipe's suggestion at https://github.com/w3c/csswg-drafts/issues/4497#issuecomment-763459971<br> <fantasai> astearns: Summary is having some sort of permission interface, where if a web page tries to use a local font and browser notices local font is in system, UI would come up<br> <fantasai> astearns: timed to make fingerprinting more difficult<br> <jfkthame> q+<br> <fantasai> astearns: allows user to enable font access<br> <smfr> q+<br> <fantasai> r12a: Then can have a checkbox for "don't ask me about this font again"<br> <chris> q+<br> <fantasai> jfkthame: Interested in Gecko<br> <astearns> ack jfkthame<br> <fantasai> jfkthame: Doing some foundational work towards potentially restricting font access<br> <fantasai> jfkthame: One aspect not directly talked about, seems there are several senses in which a website could want to use a locally-installed font<br> <fantasai> jfkthame: worth highlighting the distinction<br> <fantasai> jfkthame: might be font name is given in font-family property<br> <fantasai> jfkthame: so that specific font family is specifically requested, and page would like to use, and might or might not be allowed<br> <fantasai> jfkthame: But what about font fallback? Character that is not in other fonts<br> <fantasai> jfkthame: Would that trigger requests like this?<br> <fantasai> jfkthame: Should there be a user request for fallback, when the character is not available in other fonts?<br> <chris> qq+ to answer<br> <fantasai> jfkthame: I think the fingerprinting implications are different<br> <fantasai> jfkthame: I think for fallback, I think it's particularly concerning for minority languages<br> <astearns> ack chris<br> <Zakim> chris, you wanted to react to jfkthame to answer<br> <fantasai> jfkthame: For such users, any font that supports the language would be helpful<br> <fantasai> chris: For fallback case, script can know that fallback was used, but doesn't know which one<br> <fantasai> chris: so imo shouldn't require a user permissions font<br> <astearns> ack smfr<br> <fantasai> jfkthame: well, you are exposing the fact that the user has *a* font that supports these characters<br> <fantasai> smfr: In general, we don't believe permission prompts are useful solution to this kind of problem<br> <fantasai> smfr: one reason is user fatigue; users don't read the dialog, just want it out of the way<br> <fantasai> smfr: Then it's really impossible to explain to users what fingerprinting means and implications<br> <r12a> q+<br> <fantasai> smfr: ....<br> <fantasai> smfr: Then users don't understand whether web page or browseris showing the dialog<br> <fantasai> smfr: long-term approach should be that system fonts have support for these minority languages<br> <fantasai> smfr: so that we don't need to run into this problem in the first place<br> <astearns> ack chris<br> <tantek> +1 smfr, permission prompts are not a reasonable answer to this (users can't be expected to make informed consent)<br> <fantasai> chris: the page gets laid out without the font, the dialog box pops up asking permission to allow this, so that next time come to that site (per origin) not bothered by it<br> <fantasai> chris: so rapidly not going to run into this problem<br> <astearns> ack chris<br> <fantasai> chris: a font on system that covers the charset vs specific font that gives the right design is different<br> <fantasai> chris: ....<br> <fantasai> r12a: There is somewhere a long post on one of these issues where I addressed the question of system fonts being able to display the text<br> <fantasai> r12a: there are certain scripts and orthographies where not only does it not look good, but it actually causes problems in representing semantics<br> <fantasai> r12a: Might end up with wrong kind of glyphs, doesn't look the way you expect as a user of tye script<br> <fantasai> r12a: Don't see any way to rely on system fonts here<br> <chris> suspect r12a is referring to this: https://github.com/w3c/csswg-drafts/issues/4497#issuecomment-594521142<br> <fantasai> r12a: Also people like font designers have a problem, they can't check their fonts if they can't see them<br> <chris> with Western Syriac example<br> <fantasai> r12a: Noto fonts are not a panacea<br> <fantasai> r12a: They are often in need of significant repair to do the job<br> <fantasai> r12a: Sometimes missing for certain minority scripts<br> <fantasai> r12a: Not coverage of characters, sometimes not the right glyph shapes<br> <fantasai> r12a: A dialog box in front of the user is not great<br> <fantasai> r12a: But it's better than not being able to get the font that you want<br> <fantasai> r12a: I couldn't think of any better solution to it<br> <fantasai> r12a: It will probably help if we have the ability to say "don't remind me, about this particular font"<br> <fantasai> r12a: I don't think there's a good solution here<br> <fantasai> r12a: If you're creating web pages, you are checking your page using localhost<br> <fantasai> r12a: and in that situation, there's not going to be any phishing<br> <fantasai> r12a: major pain in the butt if you can't spin up the page with the font you'd like to see<br> <chris> localhost is just one example of an origin<br> <fantasai> r12a: So I'd like to argue that if you're working on localhost, then that should not prevent you from seeing fonts<br> <fantasai> astearns: My current take is that we're not ready to resolve on anything<br> <fantasai> astearns: but encouraged by the fact that Gecko is interested in figuring out<br> <fantasai> astearns: Sounds to me that there are some valid concerns about permission interfaces<br> <fantasai> astearns: but also valid concerns about not doing anything and just relying on system fonts<br> <fantasai> astearns: so I hope that people engage on the issue, because this is something that we need to solive<br> <fantasai> astearns: Thanks, r12a, for joining us<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4497#issuecomment-971792178 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 17 November 2021 17:20:59 UTC