Re: css3-fonts: should not dictate usage policy with respect to origin

inline

On Wed, Jun 29, 2011 at 11:55 AM, John Daggett <jdaggett@mozilla.com> wrote:

>
> Hi Glenn,
>
> You write that you've proposed several different alternatives to the
> existing origin restriction requirement in the CSS3 Fonts specification.
>  However, all of these seem to be to achieve the same effect, that is to
> make origin restrictions on fonts loading via @font-face rules optional in
> one form or another, either by changing "must" clauses to "should" clauses
> or by spinning the requirements out to other specs.
>
> The one thing I would like to understand is whether this is simply because
> of the specified origin restriction mechanism (i.e. same origin restricted
> by default using CORS to relax or explicit restriction via the proposed
> From-Origin header).  Are you objecting to either of these being required
> behavior or just the former of these two proposals?
>

either, but only the case of UAs that do not already implement same origin
requirements or are not otherwise mandated to do so (e.g., mandated by
HTML5); we want existing HTML4/XHTML1 category UAs that do not otherwise
implement same origin to be able to normatively make use of css3-fonts and
woff without bringing same origin into the picture;

i've repeated this basic objection some number of times now


> I've read through your messages and I'm still not seeing a compelling
> reason to make the existing requirements optional, if anything recent events
> emphasize the compelling reasons for this requirement.  Issues like this
> related to security are even more important for relatively closed
> environments like set-top boxes where updates are infrequent.
>

the primary motivation from our perspective is:

   1. maintaining interoperability while permitting forward compatibility
   with HTML4/XHTML1 class UAs or any similar UA that does not already
   implement same origin restrictions;

 secondary motivations include:

   1. the desire to avoid introducing an asymmetry in css derived resource
   fetch processing, namely, where same origin applies only to fonts but to no
   other css derived fetch


As background, I think it would be useful to read through a description of a
> recent WebGL security issue below.  The context is slightly different but
> the issue is the same, especially what is described in the section
> "Cross-Domain Image Theft":
>
>  http://www.contextis.com/resources/blog/webgl/
>
>
i will take a look at this, but it sounds like "content protection" and DRM
scope to me just from the phrase "image theft"


> My intention is to bring up the specific issue as to whether to make this
> requirement optional or not during next week's CSS WG call, I think it's
> best to have a formal resolution on this issue.
>
> Regards,
>
> John Daggett
> CSS3 Fonts Editor
>

Received on Wednesday, 29 June 2011 18:40:52 UTC