- From: Sylvain Galineau <sylvaing@microsoft.com>
- Date: Thu, 10 Feb 2011 17:15:15 +0000
- To: Håkon Wium Lie <howcome@opera.com>, John Daggett <jdaggett@mozilla.com>
- CC: "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, Anne van Kesteren <annevk@opera.com>
[Håkon Wium Lie:] > Yes. It's a tradeoff. Slightly more work for font publishers with > restrictions -- they would have to add this to their .htaccess file: > > <FilesMatch "\.(ttf|TTF|otf|OTF|woff|WOFF)$"> > Header set From-Origin same > </FilesMatch> That's not work for font publishers, that's work for the guy who licensed and paid for the font and now needs to monkey around with his HTTP server config to conform to the license. (And assumes he has access to .htaccess, which is not always the case e.g. small business using a hosting service). Never mind the skills to do it correctly and verify that the font is indeed same-origin after the change. This also has to be done for every server that may serve the font for this domain etc. If, on the other hand, browsers enforce same-origin by default, then all the author has to do is to put the font in a directory on their server and reference it. Can we *at least* agree this is a much lower barrier for authors in the most general use-case ? > In return we get a mechanism that the whole web can use, one that also > solves privacy concerns. Solving the problem generally is always nice, but as the default behavior of the general solution conflicts with the smart default for fonts it does not really improve on the current solution for our purposes. One possible tweak would be to say that resources loaded by @font-face should be treated as if From-Origin:same was set unless the server sets that header.
Received on Thursday, 10 February 2011 17:15:51 UTC