RE: css3-fonts: should not dictate usage policy with respect to origin

Hi Glenn,

You wrote:
Similarly, a variety of devices have been deployed based on earlier versions of @font-face in which same origin did not apply. Those devices may or may not be updated to support a final version of @font-face which does apply same origin. The change that introduces same origin thus impacts the interoperability and potential compliance of those earlier devices.

Such non-backward compatible changes should be scrutinized and considered when making such changes.

Deployed devices that are based on earlier versions of the @font-face spec would load a font regardless of its origin and without any regard to any new access control headers. As far as they are concerned – nothing has ever changed, and the content is going to be delivered and rendered exactly the same way it used to be. Newly deployed implementations would have to honor the same-origin restrictions and pay attention to the access control headers, but again this would only be true for new implementations. Can you please provide an example showing that the introduction of same origin restriction impacts the interoperability of those earlier devices? What is the basis for your claim that this change is non-backward compatible?

Thank you,
Vlad


From: Glenn Adams [mailto:glenn@skynav.com]
Sent: Friday, June 24, 2011 8:36 PM
To: Sylvain Galineau
Cc: liam@w3.org; Levantovsky, Vladimir; StyleBeyondthePunchedCard; public-webfonts-wg@w3.org; www-font@w3.org; Martin J.
Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

You are putting words into my mouth when you claim I am making this argument based on "Samsung CE Devices". I did not specifically cite Samsung implementations of the interactive television standards I referred to. In fact, a significant number of CE manufacturers have deployed those standards.

Next, new drafts *do* affect existing implementations when the features implemented are subject to changes in draft specifications, such as css3-fonts, which have been in process for nearly ten years. Just like HTML5, implementers cannot afford to wait until it reaches REC state, and early implementations that are fielded may be difficult or uneconomical to update.

As an example, Microsoft created the UPnP 1.0 specification based on MSFT's early implementation of XML Schemas; namely, upon XDR. Many devices were fielded using this work based on early drafts of XSD. Those devices are still in the field. Eventually, XSD was finalized, but those early devices remain dependent upon XDR, and are not conformant with XSD. Slowly, new devices are being fielded based on UPnP 1.1 which transitioned to XSD as finalized.

Similarly, a variety of devices have been deployed based on earlier versions of @font-face in which same origin did not apply. Those devices may or may not be updated to support a final version of @font-face which does apply same origin. The change that introduces same origin thus impacts the interoperability and potential compliance of those earlier devices.

Such non-backward compatible changes should be scrutinized and considered when making such changes.

This is a simple, pragmatic argument, not based upon an ideal state of affairs in which implementers refrain from building products until a specification is complete. Of course, this is a risk taken by implementers, but it is also a risk faced by standardization efforts, particularly those that take a very long time to reach some level of finality.

You may think Samsung's objection unreasonable, but Samsung does not. So we will have to disagree on that point.

I have proposed alternative language that represents what we believe to be a reasonable compromise. The WG can either consider it, possibly adopting it, take it in part, or ignore it entirely. That is up to the WG to decide.

I don't intend to elaborate our position any further, since it would merely mean repeating what has already been said.

Regards,
Glenn
On Fri, Jun 24, 2011 at 5:51 PM, Sylvain Galineau <sylvaing@microsoft.com<mailto:sylvaing@microsoft.com>> wrote:
First, there is no such thing as a ‘retro-active requirement’. New drafts only affect future implementations. As there are no explicit or implicit requirements for you to go back and fix legacy devices every time a draft specification is updated, the claim that such an obligation is forcing you to object has no basis and thus no compromise seems necessary to resolve it. Since you point out that you have no objection to this requirement for new ‘HTML5’ devices, I wonder if you could elaborate on what makes you believe those devices that predate it must be updated to conform to it?

Second, as some of us have successfully deployed this font access policy to hundreds of millions of users, we do have some understanding of its real-world impact and I am available to answer any questions you may have on the matter. In Microsoft’s case, many of our users still run a 10 year-old browser on a 10 year-old OS (as you say, PCs *can* be updated more easily; it doesn’t follow that they are…) running an implementation of @font-face originally based on a specification older than css3-fonts’ first draft. We also support a legacy font encoding (EOT) and apply same-origin restrictions to resources in this format in our latest release; we do so despite the fact that no such requirement ever existed for EOT, never mind that EOT supports its own origin restriction mechanism. Our older releases (as well as emulations of these older releases) do, however, remain unchanged and still download EOT fonts from all origins; precisely because, yes, this would be a breaking change, because our customers expect older versions to remain stable i.e. compatible with our implementation of the standards of their time…and because there are no ‘retro-active requirements’ to update these older releases.

By the way, since the change you request would likely conflict with deployed IE and Firefox implementations by making failure scenarios valid, wouldn’t you expect Mozilla and Microsoft to object for the same reasons? Surely such a change would be as retro-active on our UAs as it is on yours? Shouldn’t this impact also be taken into account?
Third, I do not believe I made an unfair generalization of your argument; but I find it encouraging that you seem to disagree with a generalization of it. Maybe you believe your request justified because of its narrow and targeted nature, as you perceive it? It could explain part of the gap in understanding we’re struggling with.

To summarize, you are stating that the existence of Samsung CE devices implementing a prior draft of CSS3 Fonts requires you to formally object to those changes that are incompatible with these devices. In the absence of any concrete expectation or demand by the CSS WG or the Fonts WG that you update these products to conform with a requirement drafted after they were designed and released, and in the absence of any use-case demonstrating end-user harm – a UA that loads fonts from all origins will render all pages designed for UAs that enforce SOR - I consider your objection unreasonable as stated and see no further action that can, or should, be taken.

I do, of course, welcome discussion of this requirement on its own merits or lack thereof, as it may be.


From: www-style-request@w3.org<mailto:www-style-request@w3.org> [mailto:www-style-request@w3.org<mailto:www-style-request@w3.org>] On Behalf Of Glenn Adams

Sent: Thursday, June 23, 2011 1:22 PM
To: Sylvain Galineau
Cc: liam@w3.org<mailto:liam@w3.org>; Levantovsky, Vladimir; StyleBeyondthePunchedCard; public-webfonts-wg@w3.org<mailto:public-webfonts-wg@w3.org>; www-font@w3.org<mailto:www-font@w3.org>; Martin J.

Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

One must recognize that (1) UAs deployed in CE devices are not the same category as PCs, which can be updated more easily; (2) css3-fonts has been under development for an inordinately long time and the need for @font-face implementations has existed since the beginning; (3) UAs *are* deployed that use @font-face and that do not support HTML5 or same-origin.

These are facts that should be considered, and as a representative of a company that has deployed such UAs, Samsung will continue to object to a retroactive requirement on these UAs to support same origin. We do not, however, have the same position for HTML5 category UAs that are now appearing in the field.

Of course, a WG is entitled to change a non-final spec in a non-backward compatible manner, but in doing so should take into account the impact of such a change. Finally, I did not suggest such a generalization as you state below.

I am attempting to find compromise language that Samsung can live with. Are you interested in finding a compromise that can remove our objection or not?

G.

On Thu, Jun 23, 2011 at 2:11 PM, Sylvain Galineau <sylvaing@microsoft.com<mailto:sylvaing@microsoft.com>> wrote:
As a *draft* specifications, css3-fonts and WOFF can certainly define new requirements for future implementations. Your entire argument would imply that once a draft has been implemented future versions of the spec must be compatible with those implementations. This is not the way CSS works; no implementation that implemented a given draft is guaranteed conformance with the next one. The main motive for vendor prefixes is to allow specifications to evolve without breaking implementations. That historical implementations did not prefix their @font-face implementation should not block us from achieving both interoperability and desirable runtime behavior in future implementations.


From: public-webfonts-wg-request@w3.org<mailto:public-webfonts-wg-request@w3.org> [mailto:public-webfonts-wg-request@w3.org<mailto:public-webfonts-wg-request@w3.org>] On Behalf Of Glenn Adams
Sent: Thursday, June 23, 2011 12:59 PM
To: liam@w3.org<mailto:liam@w3.org>
Cc: Levantovsky, Vladimir; StyleBeyondthePunchedCard; public-webfonts-wg@w3.org<mailto:public-webfonts-wg@w3.org>; www-font@w3.org<mailto:www-font@w3.org>; Martin J.

Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

Samsung supports your suggestion below if it is expressed either as "should" or made conditionally mandatory, where the condition is expressed as follows or an equivalent:

"If the use of WOFF occurs in a context where same origin access constraints are *already* present/supported, then that mechanism *must* be used to limit access to WOFF fonts; otherwise, such a mechanism *should* be provided for such use."

We do not want the use of WOFF by itself, or css3-fonts, by itself, to trigger a mandatory requirement for same origin processing in contexts that don't already support such constraints. For example, in HTML4 or XHTML1 category UAs that already support @font-face or that wish to support WOFF.

We note that the @font-face rule has been defined in css3-fonts since 31 July 2001, and that a variety of UAs have been fielded in the non-desktop environment (e.g., mobile, television, etc), which employ @font-face for accessing other non-WOFF fonts, and do so without same origin restrictions. This would argue against introducing a non-backward compatible change in css3-fonts to mandate same origin processing for prior fielded implementations that do not otherwise support same origin. WOFF similarly should not by itself trigger mandatory support for same origin in such UAs.

G.
On Thu, Jun 23, 2011 at 11:30 AM, Liam R E Quin <liam@w3.org<mailto:liam@w3.org>> wrote:
The WOFF spec could say in its conformance section (right in the spec,
not in a separate document) that for use in style sheets (not only CSS)
an implementation-defined mechanism should (must?) be available to limit
access to the WOFF resource outside of support for the style sheets, and
maybe give same-origin as an example.

Received on Monday, 27 June 2011 19:58:34 UTC