Re: A way forward from Tab Atkins Jr. on 2009-07-24 (www-font@w3.org from July to September 2009)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Fri, 24 Jul 2009 17:36:19 -0500
To: John Daggett <jdaggett@mozilla.com>
Cc: www-font <www-font@w3.org>
Message-ID: <dd0fbad0907241536x20f64a8fl9b4e3496f7534e1f@mail.gmail.com>

On Fri, Jul 24, 2009 at 5:27 PM, John Daggett<jdaggett@mozilla.com> wrote:
> John Hudson wrote:
>
>>>> Er, what? EOT-Lite fonts cannot be used if a EULA specifies that
>>>> same-origin restrictions are required, since legacy versions of IE
>>>> won't enforce any form of same-origin restriction.  Are you saying
>>>> that's incorrect? Or that the example was incorrect?
>>
>>> If the EULA requires same-origin restrictions, then Firefox is the
>>> only browser that can implement EOT-Lite and comply with this EULA
>>> in the very near term.
>>
>>> And that's a problem for you why ?
>>
>> It is also a licensing issue, not a format or implementation issue.
>> Single-origin checking is something that font developers want and
>> may indeed put into standard license agreements for web fonts. On
>> the other hand, we are aware that it won't be backwards compatible,
>> and if there are customers who have specific compatibility needs
>> then custom licenses are possible. A license might even specify
>> exceptions to the single-origin checking for specific browser
>> versions. This is a decision font makers will need to consider from
>> a business perspective.
>
> This issue of a new font format is *entirely* a licensing issue.  My
> point was simply that EOT-Lite potentially affects the choice of fonts
> available in non-IE browsers, since those font vendors who require
> same-origin checking in *all* cases would not be able to license their
> fonts for web use (or would need to require things like referrer
> checking) because of this structural limitation.  Creating two font
> files, a legacy EOT and a new format .webfont/ZOT, is a pain but
> it does not have this limitation.

Note, though, that such a requirement for same-origin checking in
*all* cases isn't actually possible.  Referer or Origin-based checks
are based on the client sending out correct information (vulnerable to
trivial header spoofing), and CORS is based on the client refusing to
give access to a resource it's already downloaded (the client can just
give access instead).  wget'ing the font will still work regardless.

~TJ

Received on Friday, 24 July 2009 22:37:20 UTC