Re: WOFF without same origin restriction in Opera?

I do not think my tone was improper.  And I asked an honest question in my
final paragraph that was left unanswered.  I don't think this subthread is
contributing to the question at hand (SOR implementation at Opera), so I
suggest we end it here.  I seem to disagree with you on many of the
technical considerations of WOFF.  If you are interested in hearing them, we
can talk in a separate thread.  Otherwise, lets just agree to disagree.

Thanks,
behdad

On Thu, Jan 27, 2011 at 12:04 PM, Sylvain Galineau
<sylvaing@microsoft.com>wrote:

>  1.       Compressing the file on a table-by-table basis was interesting
> for a number of scenarios; it also guarantees end-to-end compression
> regardless of the proxy chain. Tests also showed it could achieve better
> compression than with gzip.
>
>
>
> 2.       Having to open up the file to retrieve a domain name is
> inefficient; it is also similar to the EOT rootstring design which was not
> optimal and undesirable on several grounds; one of which being that it makes
> site maintenance a real pain as you now have to embed/update domain URLs as
> you move a file around.
>
>
>
> 3.       I completely disagree that the current SOR-based solution
> represents ‘the same level of hardness’ as Referrer checks for a web site.
> In most cases, they will have nothing to do; in some cases they might have
> to set one header to a static value. I don’t know anyone who thinks either
> is harder, less performant or more expensive than applying completely
> unreliable Referrer checks on all requests, some of which will break as they
> are stripped by proxies and firewalls thus leaving users with a broken page.
> As your solution is harder on the admin **and** some of the users, it’s
> difficult to conclude it’s better or even the same. You could say a design
> goal of the current design is to avoid any requirement for Referrer checks
> so arguing they’re better is certainly pointless at this stage.
>
>
>
> 4.       Whether fonts should be the same as other files is a purely
> technical assertion that is completely irrelevant in practice. If fonts were
> like any other type of resources we wouldn’t have been stuck with the same
> 10 system fonts for 15 years. This WG, this discussion and this mailing list
> wouldn’t need to exist. Again, not everyone is interested in waiting another
> 10 years to get the fonts they want just so a handful of browsers makers can
> write the code the way they  believe it should be written. If code purity
> was a priority that is exactly what would happen; and it was unacceptable.
> Especially when very simple technical measures that are completely useful on
> their own – compression saves bandwidth, SOR prevents leeching without any
> Referrer checks and also helps authors comply with the most common licensing
> restriction by default and at no cost - can give everyone access to
> thousands of beautiful high-quality fonts. I don’t see why the ‘Creative
> Commons camp’ approach (whatever that means) is so obviously better if all
> it can achieve is the preservation of an obsolete status quo every single
> author has been frustrated with for years. Or, put another way, I don’t see
> why compressing a file with a free, open algorithm and using a completely
> standard mechanism to restrict its cross-domain use violates web principles
> so egregiously that it is worth keeping web typography crippled and stuck in
> the 90s. That is not a pragmatic stance, it’s an ideological one. Those
> rarely solve anything.
>
>
>
> You’re welcome to peruse the archive of www-font for more detailed
> background. This design did not come up at random last night and involved
> many experts – from Mozilla, Microsoft, Opera, font vendors and so on -  so
> I’m not sure how you can assert that the requirements are not warranted or
> imply that anyone is ‘pretending’. If anything, what I find unwarranted is
> your tone.
>
>
>
>
>
> *From:* Behdad Esfahbod [mailto:behdad@google.com]
> *Sent:* Thursday, January 27, 2011 6:59 AM
>
> *To:* Sylvain Galineau
> *Cc:* John Hudson; WOFF Working Group
> *Subject:* Re: WOFF without same origin restriction in Opera?
>
>
>
> On Wed, Jan 26, 2011 at 2:07 PM, Sylvain Galineau <sylvaing@microsoft.com>
> wrote:
>
>
>
>  A pragmatic solution emerged from very long discussions whereby font
> makers large and small were willing to license their products for web use as
> long as the font was packaged in such a way that it can’t just be dropped in
> your local font folder, and if it was restricted to same-origin by default
> (most licenses are typically single-domain). They don’t expect that’ll stop
> piracy but it matters to them that whoever wants to grab a font has to take
> steps to do so. (Web sites also don’t mind if you save them bandwidth at no
> extra cost but that wasn’t the motivation). So while there is no technical
> reason web fonts should be compressed or SOR’ed, it just so happens that
> coding it this way makes an order of magnitude more fonts available to web
> authors and gives them more choice on how they want to deploy them. Is  that
> bad ?
>
>
>
> For being packaged such that it cannot just be dropped in your local font
> folder, would have sufficed to change the very first byte of the SFNT font
> file.  No need for an entirely new container that needs to be supported
> across all font tools.
>
>
>
> For domain checking, etc, well, why not just include that in the metadata
> block for example?
>
>
>
> I'm not questioning the design decisions at this point, since it's
> pointless, and commonly known that WOFF does not solve a technical problem.
>  I'm just pointing out that the decisions are not warranted given the
> requirements.  So lets not pretend that they do.
>
>
>
> From what I understand, WOFF is designed such that foundries can police
> around the web, download any WOFF they suspect is their intellectual
> property and inspect inside to see if the author has licensed it properly.
>  If that is the intention, I find it very broken also.  Are foundries
> allowed to download arbitrary resources from my website?  I sure didn't give
> them permission...
>
>
>
>
>
>  It also happens that, contrary to your comment below, this solution does
> **not** require anyone to ‘scratch their head trying to get it to work on
> the web’. Quite the contrary. Most licenses require you to serve your font
> from the same domain as your page and everything will work fine as long as
> you do that. Nothing to do on your server except serving the font file. As
> long as all browsers implement SOR you don’t need to do any referrer
> checking to prevent teenagers from linking to the font you paid for in their
> MySpace page either. Just get your license, plop the file on your domain and
> you’re done.
>
>
>
> If you do want to serve a font cross-domain then you will need to set one
> single HTTP header on your other server with a value of ‘*’. How is that
> harder than messing with Referrer checks ?
>
>
>
> It's not harder.  It's in the same order of hardness.  In both cases you
> have to mess with your server configuration.  I guess where we disagree is
> whether font foundries should be given the easy spot or the Creative Commons
> camp...
>
>
>
> I just don't understand why fonts should be treated so specially on the
> web.  You can make the same arguments about pretty much every resource on
> the web.
>
>
>
>
>
> behdad
>
>
>
>
>
>
>
>  Unfortunately, if some browsers do SOR and others don’t then some web
> sites may find themselves having to do extra work such as Referrer checks to
> comply with the most basic and common licensing restrictions as well as save
> their bandwidth. And if font vendors, having so far delivered on their side
> of the deal, lose confidence then that is a step backward. Unimpressive is
> the proper term.
>
>
>
>
>
> *From:* Behdad Esfahbod [mailto:behdad@google.com]
> *Sent:* Wednesday, January 26, 2011 10:38 AM
> *To:* Sylvain Galineau
> *Cc:* John Hudson; WOFF Working Group
>
>
> *Subject:* Re: WOFF without same origin restriction in Opera?
>
>
>
> On Wed, Jan 26, 2011 at 1:16 PM, Sylvain Galineau <sylvaing@microsoft.com>
> wrote:
>
> It doesn’t always work and requires work on the part of the web site to
> implement it (not all sites do referrer checking for their images, or all
> their images). Having the browser enforce same-origin by default requires
> zero work on the site’s behalf to comply with the most common web font
> license requirement today.
>
>
>
> But if some browsers choose to ignore this requirement then web sites may
> have to implement Referrer checks for those browsers anyway. It’s unclear
> why we should be making their lives harder than they need to be, or how it
> helps web typography adoption.
>
> It must be noted that other solutions were proposed before WOFF; one of
> them was judged inadequate in part because it would have relied on
> unreliable and cumbersome Referrer checks.
>
>
>
> So, in trying to solve the fonts-on-the-web problem, the WG decided that
> the current solutions are inadequate for the foundries, and invented an
> architecture that the foundries think is what they want, but left the rest
> of the world scratching their head trying to get it work on the web?  As in,
> now anyone who want to share their fonts either has to not use WOFF, or be
> bothered to implement CORS on their server...
>
>
>
> Unimpressed,
>
> behdad
>
>
>
>
>
>
>
> *From:* public-webfonts-wg-request@w3.org [mailto:
> public-webfonts-wg-request@w3.org] *On Behalf Of *Behdad Esfahbod
> *Sent:* Wednesday, January 26, 2011 9:50 AM
> *To:* John Hudson
> *Cc:* WOFF Working Group
> *Subject:* Re: WOFF without same origin restriction in Opera?
>
>
>
> On Tue, Jan 25, 2011 at 12:44 PM, John Hudson <tiro@tiro.com> wrote:
>
>
>
> Opera have had plenty of opportunity to make a formal objection to SOR in
> the WOFF specification. We're at last call for comments and they have not
> done so. Håkon made no objection at the face-to-face in Lyon. Maybe someone
> at Opera thinks they can do an end run by producing an implementation that
> ignores this MUST clause, but I think they're just going to end up being
> non-conformant. Maybe they'd listen to one of their own customers who wants
> to protect an investment in a font asset?
>
>
>
> What's wrong with protecting one's assets by instructing the server to only
> serve certain Referrer's?  People have been doing that for images for ages.
>
>
>
> behdad
>
>
>
>
>
>
> JH
>
>
>
>