- From: John Hudson <tiro@tiro.com>
- Date: Sat, 18 Jun 2011 15:32:20 -0700
- To: Glenn Adams <glenn@skynav.com>
- CC: "Tab Atkins Jr." <jackalmage@gmail.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, www-font@w3.org
Glenn Adams wrote: > First, I don't agree with [Tab's] premise "that the use of fonts on the web > needs these sorts of restrictions". That is a general statement that, > while true in some cases, is not true in other cases. Yes, but in issues of security surely it is those cases that have a need that determine what is needful, not those cases that do not have a need. We had a similar discussion re. the needs of commercial font providers and users vs. libre font providers and users a couple of summers ago. Sure there are mechanisms that are not needed for some providers and some users, and hence not needed in some situations, but you can't build a robust solution by presuming the least needful situations. Ergo, you look at the most needful situation and try to come up with a solution that addresses that situation while being as least onerous as possible for less needful situation. I think this has been the working principle for everyone involved in the Webfonts WG for the past two years. > Second, I am not saying "they shouldn't be specified". I'm saying they > (same-origin mandate) should not be specified in WOFF or CSS3-FONTS. > These are not the correct place to mandate or enforce such restrictions. > If there are restrictions on access, the mechanism by which this is > imposed and enforce should be specified where the access occurs, and > that is not in WOFF or CSS3-FONTS, but in a UA that uses these. This seems reasonable enough to me, and I'm happy for same origin or from origin mechanisms to be defined in a Webfonts compliance document, as chartered, rather than within the WOFF spec (I'll have to let other people speak re. the CSS spec) > Further, > it must be possible to build UAs that are not required to enforce such > restrictions, and which remain compliant. You wrote yesterday that if the relevant WG's undertook to move same-origin requirements from WOFF and CSS3-FONTS to a third "WebFonts Conformance Specification" then you would 'consider the matter resolved and vacate Samsung's formal objection'. Surely if a same origin mechanism of some kind is a Webfonts compliance requirement, then a UA such as you describe could not be compliant? JH
Received on Saturday, 18 June 2011 22:32:50 UTC