RE: WOFF without same origin restriction in Opera? from Sylvain Galineau on 2011-01-26 (public-webfonts-wg@w3.org from January 2011)

From: Sylvain Galineau <sylvaing@microsoft.com>
Date: Wed, 26 Jan 2011 19:07:49 +0000
To: Behdad Esfahbod <behdad@google.com>
CC: John Hudson <tiro@tiro.com>, WOFF Working Group <public-webfonts-wg@w3.org>
Message-ID: <045A765940533D4CA4933A4A7E32597E2AB04778@TK5EX14MBXC120.redmond.corp.microsoft.>
I’m not sure you understand what happened here. The ‘current’ solution *was* completely inadequate. Authors could either use free fonts or nothing. A crippled market where the only way to license professional fonts was to go through a few dedicated font obfuscation services (or, who knows, over time, a monopoly) was unappealing. That is where we were back when three browsers supported raw fonts.

A pragmatic solution emerged from very long discussions whereby font makers large and small were willing to license their products for web use as long as the font was packaged in such a way that it can’t just be dropped in your local font folder, and if it was restricted to same-origin by default (most licenses are typically single-domain). They don’t expect that’ll stop piracy but it matters to them that whoever wants to grab a font has to take steps to do so. (Web sites also don’t mind if you save them bandwidth at no extra cost but that wasn’t the motivation). So while there is no technical reason web fonts should be compressed or SOR’ed, it just so happens that  coding it this way makes an order of magnitude more fonts available to web authors and gives them more choice on how they want to deploy them. Is  that bad ?

It also happens that, contrary to your comment below, this solution does *not* require anyone to ‘scratch their head trying to get it to work on the web’. Quite the contrary. Most licenses require you to serve your font from the same domain as your page and everything will work fine as long as you do that. Nothing to do on your server except serving the font file. As long as all browsers implement SOR you don’t need to do any referrer checking to prevent teenagers from linking to the font you paid for in their MySpace page either. Just get your license, plop the file on your domain and you’re done.

If you do want to serve a font cross-domain then you will need to set one single HTTP header on your other server with a value of ‘*’. How is that harder than messing with Referrer checks ?

Unfortunately, if some browsers do SOR and others don’t then some web sites may find themselves having to do extra work such as Referrer checks to comply with the most basic and common licensing restrictions as well as save their bandwidth. And if font vendors, having so far delivered on their side of the deal, lose confidence then that is a step backward. Unimpressive is the proper term.


From: Behdad Esfahbod [mailto:behdad@google.com]
Sent: Wednesday, January 26, 2011 10:38 AM
To: Sylvain Galineau
Cc: John Hudson; WOFF Working Group
Subject: Re: WOFF without same origin restriction in Opera?

On Wed, Jan 26, 2011 at 1:16 PM, Sylvain Galineau <sylvaing@microsoft.com<mailto:sylvaing@microsoft.com>> wrote:
It doesn’t always work and requires work on the part of the web site to implement it (not all sites do referrer checking for their images, or all their images). Having the browser enforce same-origin by default requires zero work on the site’s behalf to comply with the most common web font license requirement today.

But if some browsers choose to ignore this requirement then web sites may have to implement Referrer checks for those browsers anyway. It’s unclear why we should be making their lives harder than they need to be, or how it helps web typography adoption.
It must be noted that other solutions were proposed before WOFF; one of them was judged inadequate in part because it would have relied on unreliable and cumbersome Referrer checks.

So, in trying to solve the fonts-on-the-web problem, the WG decided that the current solutions are inadequate for the foundries, and invented an architecture that the foundries think is what they want, but left the rest of the world scratching their head trying to get it work on the web?  As in, now anyone who want to share their fonts either has to not use WOFF, or be bothered to implement CORS on their server...

Unimpressed,
behdad



From: public-webfonts-wg-request@w3.org<mailto:public-webfonts-wg-request@w3.org> [mailto:public-webfonts-wg-request@w3.org<mailto:public-webfonts-wg-request@w3.org>] On Behalf Of Behdad Esfahbod
Sent: Wednesday, January 26, 2011 9:50 AM
To: John Hudson
Cc: WOFF Working Group
Subject: Re: WOFF without same origin restriction in Opera?

On Tue, Jan 25, 2011 at 12:44 PM, John Hudson <tiro@tiro.com<mailto:tiro@tiro.com>> wrote:

Opera have had plenty of opportunity to make a formal objection to SOR in the WOFF specification. We're at last call for comments and they have not done so. Håkon made no objection at the face-to-face in Lyon. Maybe someone at Opera thinks they can do an end run by producing an implementation that ignores this MUST clause, but I think they're just going to end up being non-conformant. Maybe they'd listen to one of their own customers who wants to protect an investment in a font asset?

What's wrong with protecting one's assets by instructing the server to only serve certain Referrer's?  People have been doing that for images for ages.

behdad



JH
Received on Wednesday, 26 January 2011 19:08:25 UTC