- From: Glenn Adams <glenn@skynav.com>
- Date: Wed, 29 Jun 2011 12:39:49 -0600
- To: John Daggett <jdaggett@mozilla.com>
- Cc: John Hudson <tiro@tiro.com>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>, liam@w3.org, StyleBeyondthePunchedCard <www-style@w3.org>, public-webfonts-wg@w3.org, www-font@w3.org, "Martin J." <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>
- Message-ID: <BANLkTikRHhjWW-dm41O0GyXXkCGY2STLUw@mail.gmail.com>
inline On Wed, Jun 29, 2011 at 11:55 AM, John Daggett <jdaggett@mozilla.com> wrote: > > Hi Glenn, > > You write that you've proposed several different alternatives to the > existing origin restriction requirement in the CSS3 Fonts specification. > However, all of these seem to be to achieve the same effect, that is to > make origin restrictions on fonts loading via @font-face rules optional in > one form or another, either by changing "must" clauses to "should" clauses > or by spinning the requirements out to other specs. > > The one thing I would like to understand is whether this is simply because > of the specified origin restriction mechanism (i.e. same origin restricted > by default using CORS to relax or explicit restriction via the proposed > From-Origin header). Are you objecting to either of these being required > behavior or just the former of these two proposals? > either, but only the case of UAs that do not already implement same origin requirements or are not otherwise mandated to do so (e.g., mandated by HTML5); we want existing HTML4/XHTML1 category UAs that do not otherwise implement same origin to be able to normatively make use of css3-fonts and woff without bringing same origin into the picture; i've repeated this basic objection some number of times now > I've read through your messages and I'm still not seeing a compelling > reason to make the existing requirements optional, if anything recent events > emphasize the compelling reasons for this requirement. Issues like this > related to security are even more important for relatively closed > environments like set-top boxes where updates are infrequent. > the primary motivation from our perspective is: 1. maintaining interoperability while permitting forward compatibility with HTML4/XHTML1 class UAs or any similar UA that does not already implement same origin restrictions; secondary motivations include: 1. the desire to avoid introducing an asymmetry in css derived resource fetch processing, namely, where same origin applies only to fonts but to no other css derived fetch As background, I think it would be useful to read through a description of a > recent WebGL security issue below. The context is slightly different but > the issue is the same, especially what is described in the section > "Cross-Domain Image Theft": > > http://www.contextis.com/resources/blog/webgl/ > > i will take a look at this, but it sounds like "content protection" and DRM scope to me just from the phrase "image theft" > My intention is to bring up the specific issue as to whether to make this > requirement optional or not during next week's CSS WG call, I think it's > best to have a formal resolution on this issue. > > Regards, > > John Daggett > CSS3 Fonts Editor >
Received on Wednesday, 29 June 2011 18:40:37 UTC