- From: Richard Fink <rfink@readableweb.com>
- Date: Mon, 3 Aug 2009 12:55:33 -0400
- To: "'Tab Atkins Jr.'" <jackalmage@gmail.com>, "'Sylvain Galineau'" <sylvaing@microsoft.com>
- Cc: "'John Hudson'" <tiro@tiro.com>, "'Levantovsky, Vladimir'" <Vladimir.Levantovsky@MonotypeImaging.com>, <bill.davis@ascendercorp.com>, "'www-font'" <www-font@w3.org>
Monday, August 03, 2009 Tab Atkins Jr <jackalmage@gmail.com>: Tab Atkins Jr. wrote: >In the end, though, I think all of this will be unnecessary. >Same-origin restrictions serve only to prevent cross-origin requests - >hotlinking, in other words. As long as most of the ecosystem obeys >this, then hotlinking is essentially useless. Fast forward to a year >or so from now, when the non-IE browsers will have implemented EOTL >support and released, and enough people have upgraded to make it worth >it to deploy EOTL files. You put up a font. Someone hotlinks it to >use on their own site. What happens? The font is completely ignored >on 30%-40% of browsers! This lines up exactly with what I wrote in response to Rob O'Callahan about Ascender's current licensing verbiage where the licensee agrees to take "reasonable steps" to prevent hot linking. (I'm paraphrasing.) My exchange with Rob was this: Rob O'Callahan wrote: >What about all the IE<=8 user agents? Seems like your approach would violate Ascender's license until they go away completely. If you >only use EOTL once all IE<=8 user agents go away, it's useless. Richard Fink replied: >Here’s my thinking: If someone has a page or pages that are trying to piggyback off of my license by linking to >my copy of Cambria Regular, yes that works for <IE9. But if IE 9 (or Firefox 4) enforces same origin, where >does that leave Mr. Piggyback? Unless I allow it, he isn’t getting my font file delivered to the people viewing >his pages in the latest browsers and so he might as well abandon his scheme. Why is it unreasonable for me to >do nothing about a “threat” that no longer exists except in theory? In what way is Ascender being harmed? In other words, *doing nothing* is a reasonable step. Once a single major browser supports EOTL along with CORS, that licensing language makes no sense. And it's not even difficult to explain to a non-technical person why that is so. IMHO - it's more appropriate, and more specific, for the EULA to spell out what the licensee is *not* supposed to do: open their server up to hot linking. That makes sense for licensor and licensee alike on multiple levels and I think would be far less objectionable. And yes, Tab, we could have used you over the weekend. Hope you enjoyed the wine. Regards, rich
Received on Monday, 3 August 2009 16:56:21 UTC