Re: WOFF without same origin restriction in Opera?

On Wed, Jan 26, 2011 at 2:07 PM, Sylvain Galineau <sylvaing@microsoft.com>wrote:


> A pragmatic solution emerged from very long discussions whereby font makers
> large and small were willing to license their products for web use as long
> as the font was packaged in such a way that it can’t just be dropped in your
> local font folder, and if it was restricted to same-origin by default (most
> licenses are typically single-domain). They don’t expect that’ll stop piracy
> but it matters to them that whoever wants to grab a font has to take steps
> to do so. (Web sites also don’t mind if you save them bandwidth at no extra
> cost but that wasn’t the motivation). So while there is no technical reason
> web fonts should be compressed or SOR’ed, it just so happens that  coding it
> this way makes an order of magnitude more fonts available to web authors and
> gives them more choice on how they want to deploy them. Is  that bad ?
>

For being packaged such that it cannot just be dropped in your local font
folder, would have sufficed to change the very first byte of the SFNT font
file.  No need for an entirely new container that needs to be supported
across all font tools.

For domain checking, etc, well, why not just include that in the metadata
block for example?

I'm not questioning the design decisions at this point, since it's
pointless, and commonly known that WOFF does not solve a technical problem.
 I'm just pointing out that the decisions are not warranted given the
requirements.  So lets not pretend that they do.

>From what I understand, WOFF is designed such that foundries can police
around the web, download any WOFF they suspect is their intellectual
property and inspect inside to see if the author has licensed it properly.
 If that is the intention, I find it very broken also.  Are foundries
allowed to download arbitrary resources from my website?  I sure didn't give
them permission...


 It also happens that, contrary to your comment below, this solution does **
> not** require anyone to ‘scratch their head trying to get it to work on
> the web’. Quite the contrary. Most licenses require you to serve your font
> from the same domain as your page and everything will work fine as long as
> you do that. Nothing to do on your server except serving the font file. As
> long as all browsers implement SOR you don’t need to do any referrer
> checking to prevent teenagers from linking to the font you paid for in their
> MySpace page either. Just get your license, plop the file on your domain and
> you’re done.
>
>
>
> If you do want to serve a font cross-domain then you will need to set one
> single HTTP header on your other server with a value of ‘*’. How is that
> harder than messing with Referrer checks ?
>

It's not harder.  It's in the same order of hardness.  In both cases you
have to mess with your server configuration.  I guess where we disagree is
whether font foundries should be given the easy spot or the Creative Commons
camp...

I just don't understand why fonts should be treated so specially on the web.
 You can make the same arguments about pretty much every resource on the
web.


behdad



Unfortunately, if some browsers do SOR and others don’t then some web sites
> may find themselves having to do extra work such as Referrer checks to
> comply with the most basic and common licensing restrictions as well as save
> their bandwidth. And if font vendors, having so far delivered on their side
> of the deal, lose confidence then that is a step backward. Unimpressive is
> the proper term.
>
>
>
>
>
> *From:* Behdad Esfahbod [mailto:behdad@google.com]
> *Sent:* Wednesday, January 26, 2011 10:38 AM
> *To:* Sylvain Galineau
> *Cc:* John Hudson; WOFF Working Group
>
> *Subject:* Re: WOFF without same origin restriction in Opera?
>
>
>
> On Wed, Jan 26, 2011 at 1:16 PM, Sylvain Galineau <sylvaing@microsoft.com>
> wrote:
>
> It doesn’t always work and requires work on the part of the web site to
> implement it (not all sites do referrer checking for their images, or all
> their images). Having the browser enforce same-origin by default requires
> zero work on the site’s behalf to comply with the most common web font
> license requirement today.
>
>
>
> But if some browsers choose to ignore this requirement then web sites may
> have to implement Referrer checks for those browsers anyway. It’s unclear
> why we should be making their lives harder than they need to be, or how it
> helps web typography adoption.
>
> It must be noted that other solutions were proposed before WOFF; one of
> them was judged inadequate in part because it would have relied on
> unreliable and cumbersome Referrer checks.
>
>
>
> So, in trying to solve the fonts-on-the-web problem, the WG decided that
> the current solutions are inadequate for the foundries, and invented an
> architecture that the foundries think is what they want, but left the rest
> of the world scratching their head trying to get it work on the web?  As in,
> now anyone who want to share their fonts either has to not use WOFF, or be
> bothered to implement CORS on their server...
>
>
>
> Unimpressed,
>
> behdad
>
>
>
>
>
>
>
> *From:* public-webfonts-wg-request@w3.org [mailto:
> public-webfonts-wg-request@w3.org] *On Behalf Of *Behdad Esfahbod
> *Sent:* Wednesday, January 26, 2011 9:50 AM
> *To:* John Hudson
> *Cc:* WOFF Working Group
> *Subject:* Re: WOFF without same origin restriction in Opera?
>
>
>
> On Tue, Jan 25, 2011 at 12:44 PM, John Hudson <tiro@tiro.com> wrote:
>
>
>
> Opera have had plenty of opportunity to make a formal objection to SOR in
> the WOFF specification. We're at last call for comments and they have not
> done so. Håkon made no objection at the face-to-face in Lyon. Maybe someone
> at Opera thinks they can do an end run by producing an implementation that
> ignores this MUST clause, but I think they're just going to end up being
> non-conformant. Maybe they'd listen to one of their own customers who wants
> to protect an investment in a font asset?
>
>
>
> What's wrong with protecting one's assets by instructing the server to only
> serve certain Referrer's?  People have been doing that for images for ages.
>
>
>
> behdad
>
>
>
>
>
>
> JH
>
>
>