- From: John Daggett <jdaggett@mozilla.com>
- Date: Sun, 20 Feb 2011 17:38:20 -0800 (PST)
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Vladimir Levantovsky <Vladimir.Levantovsky@MonotypeImaging.com>, HÃ¥kon Wium Lie <howcome@opera.com>, public-webfonts-wg@w3.org, Sylvain Galineau <sylvaing@microsoft.com>
Maciej Stachowiak wrote: > In fairness, Mozilla's argument isn't based on such an > assumption, rather, Robert O'Callahan and others argue that > default-denying embedding is a better model for resource access > than default-allowing it, and should be changed for "all future > resource types" (currently fonts are the only known or > projected example). Mozilla folks seem to feel that applying > the better model to a subset of types is more valuable than a > consistent, but slightly suboptimal model. I think that is a > reasonable argument, but I disagree about the balance of > tradeoffs. This is a fair summary. I think it's interesting here to point out that the HTML5 spec contains recently (2/11) added text that taints <canvas> elements when cross-origin fonts are used; one of the conditions for tainting is: The element's 2D context's fillText() or strokeText() methods are invoked and end up using a font that has an origin that is not the same as that of the Document object that owns the canvas element. http://dev.w3.org/html5/spec/Overview.html#security-with-canvas-elements So I think the default for fonts being "consistent" with other resource types such as images doesn't equate with simplicity, this is a leaky model that seems to require inconsistencies that are buried more deeply. Regards, John Daggett
Received on Monday, 21 February 2011 01:38:54 UTC