- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 16 Feb 2011 11:38:22 -0800
- To: Behdad Esfahbod <behdad@google.com>
- Cc: John Daggett <jdaggett@mozilla.com>, Håkon Wium Lie <howcome@opera.com>, public-webfonts-wg@w3.org, Anne van Kesteren <annevk@opera.com>
- Message-id: <3329636C-44E0-41B4-A4A4-9294F26522AA@apple.com>
That would be painful to implement. The layers of the browser that decide whether to apply same-origin restrictions happen before any parsing of the format. - Maciej On Feb 10, 2011, at 1:16 PM, Behdad Esfahbod wrote: > Given the discussion going on, I wonder, has it been considered to include a SOR flag in the WOFF file itself? That solves both problems in that: > > 1) proprietary foundries can include the flag and those WOFF fonts will be checked for SOR by the browsers, > > 2) fonts and non-fonts are not inherently handled differently on the web. The SOR check originates from a explicit flag inside the content. > > My .02CAD > behdad > > > On Wed, Feb 9, 2011 at 11:38 PM, John Daggett <jdaggett@mozilla.com> wrote: > Håkon Wium Lie wrote: > > > Same-origin restrictions (SOR), by way of CORS, is described in > > the current WOFF WD. As we have seen on this list, the use of > > CORS is seeing some resistance in the web community. I believe > > it's in the interest of this WG to try address the concerns > > raised. > > I think this is a confusing way of describing the issue with > same-origin restrictions on fonts. CORS is a mechanism for > *relaxing* a same origin restriction, it's not a mechanism to > *enforce* a same origin restriction. > > I think there are two separate issues here: > > 1. What should be the default load behavior for cross-origin > font requests? > > 2. How can authors modify the default behavior? > > The existing same-origin restriction for WOFF is that by default > cross-origin font requests aren't loaded but that this behavior > can be modified by authors using the CORS mechanism. What Anne > is proposing is that by default cross-origin font requests *are* > loaded, just as images and scripts are loaded. But authors can > restrict cross-site usage of *any* resource type by adding an > appropriate 'From-Origin' header. The default load behavior is > the real issue here, the mechanism for relaxing/tightening this > is more interesting mechanics. > > As both Dave and Sylvain have pointed out, removing the default > load restriction on cross-origin font resources means that > authors would always need to change response header settings to > satisfy common licensing requirements for commercial fonts. If > cross-origin fonts are restricted by default they wouldn't need > to do this. > > Note that it's also possible to have cross-origin font resources > restricted by default *and* allow other types to be restricted > via something like Anne's 'From-Origin' mechanism. I'm quite > sure Anne doesn't like that though. ;) > > It would be good to get a clear response from Apple as to what > their position is and the reasoning behind it. > > Regards, > > John Daggett > > cc: Anne > >
Received on Wednesday, 16 February 2011 19:39:37 UTC