RE: What constitutes protection [was: About using CORS] from Sylvain Galineau on 2010-05-04 (www-font@w3.org from April to June 2010)

From: Sylvain Galineau <sylvaing@microsoft.com>
Date: Tue, 4 May 2010 16:16:06 +0000
To: Garrick Van Buren <garrick@kernest.com>, "www-font@w3.org" <www-font@w3.org>
Message-ID: <045A765940533D4CA4933A4A7E32597E21483766@TK5EX14MBXC120.redmond.corp.microsoft.>

> From: www-font-request@w3.org [mailto:www-font-request@w3.org] On
> Behalf Of Garrick Van Buren


> Great, what are some pointers describing the main technical advantages
> protections as a standard?

If you search this archive for security, I believe roc and/or John Daggett
explained some of them. 

> Yes - and the day I upgraded, it broke a significant portion of my work.
Not sure I understand what broke: did Firefox support fonts cross-domain 
before it implemented SOR ?

> 
> >
> >> If we're going to design a ruleset for all fonts based on the
> >> characteristics of some of them - what's the downside of no
> 'protection
> >> against leakage' ?
> >
> > Higher vulnerability exposure in the short term. And, if licensing
> terms do
> > not change, you may reduce author choice by losing a large chunk of
> the new
> > fonts you wanted to access. It could mean you're back to using the
> exact
> > same set of fonts you have access to today, but with built-in
> compression.
> >
> 


> Short term?!?!?!?! 
Yes. Until font code is hardened, you will have more exposure to 
vulnerabilities. I don't expect that to last forever. Although
I expect it to take longer than I think :)

> @font-face was barely adopted in it's 10 years of existence - 
> partially because of frigid licensing terms. 
Partially, yes. Cross-browser incompatibility and bandwidth costs
were other factors.


>Now the conversation is around recommending a single technical solution 
>to accommodate the thousands of different licensing terms? 
Font licenses are outside the scope of this WG. But technical solutions
that collide head-on with general licensing restrictions common across
the vast majority of EULAs are not that interesting. We aim to expand
choice, not reduce it.


>It is conceivable that a license exists that would be violated because of
> this recommendation.
It certainly is. But it is also conceivable that number of licenses - and 
fonts - that are not violated by this recommendation is far higher.



> Lastly, given how easy it is to externally compress I don't find built-
> in compression advantageous. In some ways, it's more problematic.

Why is it more problematic ? Are PNG, audio, video and other data format 
compressions problematic ?

 
> Is this helpful?
Yes.

Received on Tuesday, 4 May 2010 16:16:43 UTC