Re: css3-fonts: should not dictate usage policy with respect to origin

On Fri, Jun 17, 2011 at 6:47 PM, Glenn Adams <> wrote:
> I interpret the prevention of "leakage" as a form of content protection,
> albeit a weak one.

The way you seem to be defining the term (such that it's suggesting
copyright enforcement or similar things), no, it's not at all, not
even weakly.

By "info leakage" I mean the leak of secret information guarded by the
user's credentials, which the web somewhat-unfortunately allows
arbitrary websites to embed.  We've learned over time that embedding
rights eventually translate to reading rights via information leaks.

> In any case, a font file format (WOFF) and a font referencing system
> (@font-face) do not need to have a security story. Describing fonts (the
> format) and referring to them (the referencing system) does not require them
> to be accessed. Access is part of the UA regime, and if there is policy and
> controls on access, it should be defined at the UA layer, not the file
> format or reference layer.

The use of fonts on the web needs these sorts of restrictions.  Do you
have a concrete reason why they shouldn't be specified as they are
(perhaps you're implementing CSS in a non-web context and don't
believe the restrictions are useful in your context), or are you
objecting on theoretical purity concerns?


Received on Saturday, 18 June 2011 17:18:04 UTC