Re: suggested WOFF changes

On Tue, Jun 22, 2010 at 8:00 AM, Levantovsky, Vladimir
<Vladimir.Levantovsky@monotypeimaging.com> wrote:
> On Monday, May 10, 2010 10:24 PM John Daggett wrote:
>>
>> > User Agents MUST NOT permanently install fonts delivered in a WOFF
>> > format as system resident fonts, and SHOULD only use downloaded
>> > fonts to render the content of a webpage that WOFF resources are
>> > associated with.
>>
>> This is redundant, the CSS3 Fonts specification already defines this
>> behavior for *all* font types, not just WOFF [2].  See section 4.1:
>>
>>   "Downloaded fonts are only available to documents that reference
>> them,
>>    they must not be made available to other applications or other
>>    documents."
>>
>> The primary reason for this is security, the content of a given page
>> should not influence content of a different page unless the resources
>> are explicitly shared (i.e. the pages link to the same resource).
>>
>
> I found an interesting discussion where WOFF was mentioned [1], and it appears that the UA behavior/requirements specified by CSS spec with regard to downloadable fonts may not be supported by some browsers. In light of this discussion: taking into account that implementers expect to see any relevant requirements clearly mentioned in the spec and that the WOFF spec is so far the only web font specification developed by W3C - I think it's worth to mention explicitly what the expected UA behavior must be when consuming WOFF resource, and appending the proposed text to the second paragraph of the Introduction section seems to be logical and appropriate.
>
> I don’t think it would be a problem reiterating what CSS spec already says (and we can also make a reference to CSS spec here to connect the dots).
>
> Thank you and regards,
> Vlad
>
>
> [1] http://krijnhoetmer.nl/irc-logs/whatwg/20100303#l-194
>
>>
>> CSS3 Fonts @font-face description:
>> [2] http://dev.w3.org/csswg/css3-fonts/#font-face-rule

I think this is a layering violation.  The very concept of an origin
has no relevance to a font format (this isn't EOT2).  This is entirely
the responsibility of the API used to access the resource.  For
example, a specialized program that uses wget to grab a font and
specifically install it is a User Agent, but one that doesn't want to
and doesn't need to pay attention to any sort of origin restrictions
(there may be further legal restrictions dealing with installing or
using the font, but that's a separate matter).

@font-face defines how it acts by itself.  That's all we need.  If a
browser isn't willing to enable same-origin restrictions for
@font-face in general, they almost certainly won't do it for WOFF
specifically.

The correct way forward is just to make sure that browsers *do*
implement the same-origin restrictions specified for @font-face.  We
can perhaps add an informative note into the WOFF spec saying that, as
a web font format, WOFF files are expected to be used with embedding
APIs that offer same-origin restrictions.  But it's inappropriate to
express this in normative language, in my opinion.

~TJ

Received on Tuesday, 22 June 2010 16:32:03 UTC