- From: Jonathan Kew <jonathan@jfkew.plus.com>
- Date: Sat, 18 Jun 2011 23:18:14 +0100
- To: Glenn Adams <glenn@skynav.com>
- Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, John Hudson <tiro@tiro.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
On 18 Jun 2011, at 22:45, Glenn Adams wrote: > On Sat, Jun 18, 2011 at 11:17 AM, Tab Atkins Jr. <jackalmage@gmail.com> wrote: >> On Fri, Jun 17, 2011 at 6:47 PM, Glenn Adams <glenn@skynav.com> wrote: >> > In any case, a font file format (WOFF) and a font referencing system >> > (@font-face) do not need to have a security story. Describing fonts (the >> > format) and referring to them (the referencing system) does not require them >> > to be accessed. Access is part of the UA regime, and if there is policy and >> > controls on access, it should be defined at the UA layer, not the file >> > format or reference layer. >> >> The use of fonts on the web needs these sorts of restrictions. Do you >> have a concrete reason why they shouldn't be specified as they are >> (perhaps you're implementing CSS in a non-web context and don't >> believe the restrictions are useful in your context), or are you >> objecting on theoretical purity concerns? >> > First, I don't agree with your premise "that the use of fonts on the web needs these sorts of restrictions". That is a general statement that, while true in some cases, is not true in other cases. Certainly it is not true for every use of fonts on the web. Let me try rephrasing roughly what I think Tab probably meant. I believe (and I think the Web Fonts Working Group in general agrees) that specifying these sorts of restrictions as normative behavior for user agents implementing the @font-face rule will encourage more widespread availability and use of fonts on the web, by helping to mitigate some of the fears regarding abuse of the resources that are deployed. The rapid growth of Web Fonts services and usage over the past year or so, in the light of the emerging WOFF specification (which has always been understood as associated with a same-origin restriction by the typographic community) appears to support this belief. For those cases where the restrictions are not desired, simple mechanisms are provided to relax them. So those "other cases" that do not need restrictions are not blocked by this. > > Second, I am not saying "they shouldn't be specified". I'm saying they (same-origin mandate) should not be specified in WOFF or CSS3-FONTS. These are not the correct place to mandate or enforce such restrictions. I agree that WOFF is not the most appropriate place to mandate these restrictions, and the WG has expressed its willingness to remove this from the WOFF specification if and when it is dealt with elsewhere. It seems to me that CSS3 Fonts is, however, an entirely appropriate place to address the issue: this is where @font-face is specified, and the default same-origin requirement (along with the means to relax it) is intended to be an integral part of @font-face. JK
Received on Saturday, 18 June 2011 22:19:03 UTC