- From: John Hudson <tiro@tiro.com>
- Date: Sun, 19 Jun 2011 10:55:38 -0700
- To: Christoph Päper <christoph.paeper@crissov.de>
- CC: W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, www-font <www-font@w3.org>
Christoph Päper wrote: > There’s only one reasonable one, in my humble opinion. > >> - move same-origin requirements from WOFF and CSS3-FONTS to a third >> "WebFonts Conformance Specification"; > > Yes, this avoids layer and domain violations. I'm broadly in agreement with this approach. My preference is for a) the From-Origin header to be formally drafted and proposed, and to find an appropriate home in W3C recommendations, and b) for this to be normatively referenced in the 'Webfont Conformance Specification'. Our concern at the moment is that we don't want to remove all reference to same origin mechanisms from draft webfonts documents while they remain uncovered elsewhere, because we have good reason to suppose that this will shake confidence in the WOFF model among some stakeholders. Many font vendors have begun licensing fonts in the WOFF format on the reasonable assumption, after two years, that some form of same origin restriction will apply to them. I suspect that drafting the chartered 'Webfont Conformance Specification' will be a priority for the WG now. [Note that I'm talking only about WOFF and Webfonts, and not about CSS. I think Jonathan Kew has made a reasonable argument as to why the CSS font module is actually a valid place for a same origin requirement, and perhaps others agree with him. There seems to me that there is a necessary discussion to be had about that.] > The font file format (usually WOFF), the markup language (usually HTML), the stylesheet language (usually CSS) and the resource transfer protocol (usually HTTP) with origin restriction policies extensions (usually CORS/CORER) should not mandate one another, but there should be an umbrella specification labeled “Web Fonts” or some such, which font makers and vendors can expect browsers to conform (or comply) to. It should be issued by the W3C and it should not be made by the CSS WG. The outstanding question for me is how reliable that expectation of conformance would be (not just for font makers/vendors, note, but for authors and users). Glenn has suggested that Samsung would treat any same origin requirement, wherever stated and using whatever mechanism, as optional, and the wording he has proposed makes this explicitly so. In other words, a UA could conform even if it chose to ignore the same origin requirement. I'm not happy about that, because I do think we should be able to reliably anticipate what a conformant UA will be doing when encountering a well-defined, standardised same origin mechanism. This affects not only author intent (whether in conformance with a license or for other reasons) but also user experience: presuming, reasonably I think, that a single user may be visiting the same site using different UAs on a variety of devices, having some UAs allow hotlinking of webfont resources and others not will create divergent user experiences. Yes, some measure of divergence is expected in dynamic content, but this doesn't seem an area in which there is any benefit. JH
Received on Sunday, 19 June 2011 17:56:09 UTC