On Sat, Jun 18, 2011 at 11:17 AM, Tab Atkins Jr. <jackalmage@gmail.com>wrote:
> On Fri, Jun 17, 2011 at 6:47 PM, Glenn Adams <glenn@skynav.com> wrote:
> > In any case, a font file format (WOFF) and a font referencing system
> > (@font-face) do not need to have a security story. Describing fonts (the
> > format) and referring to them (the referencing system) does not require
> them
> > to be accessed. Access is part of the UA regime, and if there is policy
> and
> > controls on access, it should be defined at the UA layer, not the file
> > format or reference layer.
>
> The use of fonts on the web needs these sorts of restrictions. Do you
> have a concrete reason why they shouldn't be specified as they are
> (perhaps you're implementing CSS in a non-web context and don't
> believe the restrictions are useful in your context), or are you
> objecting on theoretical purity concerns?
First, I don't agree with your premise "that the use of fonts on the web
needs these sorts of restrictions". That is a general statement that, while
true in some cases, is not true in other cases.
Second, I am not saying "they shouldn't be specified". I'm saying they
(same-origin mandate) should not be specified in WOFF or CSS3-FONTS. These
are not the correct place to mandate or enforce such restrictions. If there
are restrictions on access, the mechanism by which this is imposed and
enforce should be specified where the access occurs, and that is not in WOFF
or CSS3-FONTS, but in a UA that uses these. Further, it must be possible to
build UAs that are not required to enforce such restrictions, and which
remain compliant.
G.
G.