- From: John Daggett via cvs-syncmail <cvsmail@w3.org>
- Date: Thu, 28 Apr 2011 07:26:54 +0000
- To: public-css-commits@w3.org
Update of /sources/public/csswg/css3-fonts
In directory hutz:/tmp/cvs-serv7991
Modified Files:
Fonts.html Overview.html
Log Message:
rework at-risk wording regarding same origin restriction
Index: Fonts.html
===================================================================
RCS file: /sources/public/csswg/css3-fonts/Fonts.html,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -d -r1.53 -r1.54
--- Fonts.html 28 Apr 2011 06:09:11 -0000 1.53
+++ Fonts.html 28 Apr 2011 07:26:52 -0000 1.54
@@ -290,6 +290,13 @@
<li><a href="#same-origin-restriction"><span class=secno>4.8
</span>Same-origin restriction for fonts</a>
+ <ul class=toc>
+ <li><a href="#default-same-origin-restriction"><span class=secno>4.8.1
+ </span>Default same-origin restriction</a>
+
+ <li><a href="#allowing-cross-origin-font-loading"><span
+ class=secno>4.8.2 </span>Allowing cross-origin font loading</a>
+ </ul>
</ul>
<li><a href="#font-matching-algorithm"><span class=secno>5 </span>Font
@@ -2666,6 +2673,9 @@
<h3 id=same-origin-restriction><span class=secno>4.8 </span>Same-origin
restriction for fonts</h3>
+ <h4 id=default-same-origin-restriction><span class=secno>4.8.1
+ </span>Default same-origin restriction</h4>
+
<p>User agents must implement a same-origin restriction when loading fonts
via the @font-face mechanism. This restriction limits the loading of fonts
for a given document to fonts loaded from the same origin. Fonts can only
@@ -2678,6 +2688,12 @@
whether a font is same origin or not, only the origin of the containing
document is used. The restriction applies to all font types.
+ <p class=issue>Some implementers would prefer to define a new mechanism
+ (tentatively named From-Origin) to control access to all resource types,
+ in preference to the origin matching algorithm referred to here. As such,
+ this subsection should be considered at risk for alteration if such an
+ alternative mechanism is defined.
+
<p>Given a document located at http://example.com/page.html, fonts defined
with ‘<code class=property><a href="#descdef-src">src</a></code>’
definitions considered cross origin must not be loaded:
@@ -2694,20 +2710,20 @@
src: url(http://another.example.com/fonts/simple.ttf);
</pre>
+ <h4 id=allowing-cross-origin-font-loading><span class=secno>4.8.2
+ </span>Allowing cross-origin font loading</h4>
+
<p>User agents must also implement the ability to relax this restriction
using cross-site origin controls <a href="#CORS"
rel=biblioentry>[CORS]<!--{{!CORS}}--></a>. Sites can explicitly allow
cross-site downloading of font data using the
<code>Access-Control-Allow-Origin</code> HTTP header.
- <p class=issue>Some implementers feel a same-origin restriction should be
- the default for all new resource types, including fonts, while others feel
- strongly that an opt-in strategy usable for all resource types would be a
- better mechanism and that the default should always be to allow
- cross-origin linking for consistency with existing resource types (e.g.
- script, images). As such, this subsection should be considered at risk for
- removal or alteration if the consensus is to use an alternative mechanism.
-
+ <p class=issue>If an alternative mechanism to control resource loading
+ (such as the suggested From-Origin HTTP header) is specified, the
+ appropriate mechanism to relax the default same-origin restriction for
+ @font-face may also change. As such, this subsection should be considered
+ at risk for alteration if such an alternative mechanism is defined.
<h2 id=font-matching-algorithm><span class=secno>5 </span>Font matching
algorithm</h2>
Index: Overview.html
===================================================================
RCS file: /sources/public/csswg/css3-fonts/Overview.html,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -d -r1.20 -r1.21
--- Overview.html 28 Apr 2011 06:09:11 -0000 1.20
+++ Overview.html 28 Apr 2011 07:26:52 -0000 1.21
@@ -290,6 +290,13 @@
<li><a href="#same-origin-restriction"><span class=secno>4.8
</span>Same-origin restriction for fonts</a>
+ <ul class=toc>
+ <li><a href="#default-same-origin-restriction"><span class=secno>4.8.1
+ </span>Default same-origin restriction</a>
+
+ <li><a href="#allowing-cross-origin-font-loading"><span
+ class=secno>4.8.2 </span>Allowing cross-origin font loading</a>
+ </ul>
</ul>
<li><a href="#font-matching-algorithm"><span class=secno>5 </span>Font
@@ -2666,6 +2673,9 @@
<h3 id=same-origin-restriction><span class=secno>4.8 </span>Same-origin
restriction for fonts</h3>
+ <h4 id=default-same-origin-restriction><span class=secno>4.8.1
+ </span>Default same-origin restriction</h4>
+
<p>User agents must implement a same-origin restriction when loading fonts
via the @font-face mechanism. This restriction limits the loading of fonts
for a given document to fonts loaded from the same origin. Fonts can only
@@ -2678,6 +2688,12 @@
whether a font is same origin or not, only the origin of the containing
document is used. The restriction applies to all font types.
+ <p class=issue>Some implementers would prefer to define a new mechanism
+ (tentatively named From-Origin) to control access to all resource types,
+ in preference to the origin matching algorithm referred to here. As such,
+ this subsection should be considered at risk for alteration if such an
+ alternative mechanism is defined.
+
<p>Given a document located at http://example.com/page.html, fonts defined
with ‘<code class=property><a href="#descdef-src">src</a></code>’
definitions considered cross origin must not be loaded:
@@ -2694,20 +2710,20 @@
src: url(http://another.example.com/fonts/simple.ttf);
</pre>
+ <h4 id=allowing-cross-origin-font-loading><span class=secno>4.8.2
+ </span>Allowing cross-origin font loading</h4>
+
<p>User agents must also implement the ability to relax this restriction
using cross-site origin controls <a href="#CORS"
rel=biblioentry>[CORS]<!--{{!CORS}}--></a>. Sites can explicitly allow
cross-site downloading of font data using the
<code>Access-Control-Allow-Origin</code> HTTP header.
- <p class=issue>Some implementers feel a same-origin restriction should be
- the default for all new resource types, including fonts, while others feel
- strongly that an opt-in strategy usable for all resource types would be a
- better mechanism and that the default should always be to allow
- cross-origin linking for consistency with existing resource types (e.g.
- script, images). As such, this subsection should be considered at risk for
- removal or alteration if the consensus is to use an alternative mechanism.
-
+ <p class=issue>If an alternative mechanism to control resource loading
+ (such as the suggested From-Origin HTTP header) is specified, the
+ appropriate mechanism to relax the default same-origin restriction for
+ @font-face may also change. As such, this subsection should be considered
+ at risk for alteration if such an alternative mechanism is defined.
<h2 id=font-matching-algorithm><span class=secno>5 </span>Font matching
algorithm</h2>
Received on Thursday, 28 April 2011 07:26:56 UTC