On Sat, Jun 18, 2011 at 11:17 AM, Tab Atkins Jr. <jackalmage@gmail.com>wrote: > On Fri, Jun 17, 2011 at 6:47 PM, Glenn Adams <glenn@skynav.com> wrote: > > In any case, a font file format (WOFF) and a font referencing system > > (@font-face) do not need to have a security story. Describing fonts (the > > format) and referring to them (the referencing system) does not require > them > > to be accessed. Access is part of the UA regime, and if there is policy > and > > controls on access, it should be defined at the UA layer, not the file > > format or reference layer. > > The use of fonts on the web needs these sorts of restrictions. Do you > have a concrete reason why they shouldn't be specified as they are > (perhaps you're implementing CSS in a non-web context and don't > believe the restrictions are useful in your context), or are you > objecting on theoretical purity concerns? First, I don't agree with your premise "that the use of fonts on the web needs these sorts of restrictions". That is a general statement that, while true in some cases, is not true in other cases. Second, I am not saying "they shouldn't be specified". I'm saying they (same-origin mandate) should not be specified in WOFF or CSS3-FONTS. These are not the correct place to mandate or enforce such restrictions. If there are restrictions on access, the mechanism by which this is imposed and enforce should be specified where the access occurs, and that is not in WOFF or CSS3-FONTS, but in a UA that uses these. Further, it must be possible to build UAs that are not required to enforce such restrictions, and which remain compliant. G. G.
Received on Saturday, 18 June 2011 21:46:47 UTC