- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 16 Feb 2011 20:55:02 -0800
- To: Chris Lilley <chris@w3.org>
- Cc: "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
On Feb 16, 2011, at 2:05 PM, Chris Lilley wrote: > Hello, > > mjs: embedding rules in a central place is not controvertial > ... using From-Origin is preferred to CORS > ... first two are ok, third one not clear which is the assumed font > default > This part of the minutes came out a bit unclear (probably my fault for speaking too quickly). Since I think this point was somewhat important, here's a clarified version: I believe there are three separate dimensions to the From-Origin proposal: (1) Define any embedding restrictions related to fonts as part of the CSS3 Fonts spec (the place where @font-face is defined) instead of as part of the WOFF file format spec, so the rules apply consistently to all fonts. (2) Instead of using CORS headers to change the defaults for allowing font embedding, use a proposed new mechanism for limiting hotlinking (From-Origin) that can apply to any resource type. (3) Change the default to be that cross-site font embedding is allowed (as opposed to presuming "From-Origin: same" in the absence of a From-Origin header for @font-face). I think that on the call, we had rough consensus on #1 and #2. Everyone seemed to either think these are improvements, or was indifferent to the outcome. #3 still seems controversial. Most of those who spoke up on today's telecon believed that the default should still be to forbid cross-site font embedding by default. I personally disagreed and thought it was better to make fonts consistent with other resource types. If we do indeed have consensus on #1 and #2, I think that would greatly reduce the scope of remaining disagreement. Regards, Maciej
Received on Thursday, 17 February 2011 04:57:13 UTC