Re: css3-fonts: should not dictate usage policy with respect to origin from John Hudson on 2011-06-18 (public-webfonts-wg@w3.org from June 2011)

From: John Hudson <tiro@tiro.com>
Date: Sat, 18 Jun 2011 15:32:20 -0700
To: Glenn Adams <glenn@skynav.com>
CC: "Tab Atkins Jr." <jackalmage@gmail.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, www-font@w3.org
Message-ID: <4DFD2774.7060606@tiro.com>

Glenn Adams wrote:

> First, I don't agree with [Tab's] premise "that the use of fonts on the web 
> needs these sorts of restrictions". That is a general statement that, 
> while true in some cases, is not true in other cases.

Yes, but in issues of security surely it is those cases that have a need 
that determine what is needful, not those cases that do not have a need. 
We had a similar discussion re. the needs of commercial font providers 
and users vs. libre font providers and users a couple of summers ago. 
Sure there are mechanisms that are not needed for some providers and 
some users, and hence not needed in some situations, but you can't build 
a robust solution by presuming the least needful situations. Ergo, you 
look at the most needful situation and try to come up with a solution 
that addresses that situation while being as least onerous as possible 
for less needful situation. I think this has been the working principle 
for everyone involved in the Webfonts WG for the past two years.

> Second, I am not saying "they shouldn't be specified". I'm saying they 
> (same-origin mandate) should not be specified in WOFF or CSS3-FONTS. 
> These are not the correct place to mandate or enforce such restrictions. 
> If there are restrictions on access, the mechanism by which this is 
> imposed and enforce should be specified where the access occurs, and 
> that is not in WOFF or CSS3-FONTS, but in a UA that uses these. 

This seems reasonable enough to me, and I'm happy for same origin or 
from origin mechanisms to be defined in a Webfonts compliance document, 
as chartered, rather than within the WOFF spec (I'll have to let other 
people speak re. the CSS spec)

 > Further,
> it must be possible to build UAs that are not required to enforce such 
> restrictions, and which remain compliant.

You wrote yesterday that if the relevant WG's undertook to

 move same-origin requirements from WOFF and CSS3-FONTS
 to a third "WebFonts Conformance Specification"

then you would 'consider the matter resolved and vacate Samsung's formal 
objection'.

Surely if a same origin mechanism of some kind is a Webfonts compliance 
requirement, then a UA such as you describe could not be compliant?

JH

Received on Saturday, 18 June 2011 22:32:51 UTC