W3C home > Mailing lists > Public > www-font@w3.org > October to December 2013

Re: WOFF can't be used offline (claim)

From: Bert Bos <bert@w3.org>
Date: Thu, 14 Nov 2013 23:28:59 +0800
Message-Id: <A7D53DF8-D129-4FF6-A5C9-69D6AB8CE765@w3.org>
To: www-font@w3.org
On Nov 11, 2013, at 17:47, Jonathan Kew wrote:

> On 11/11/13 04:15, Chris Lilley wrote:
>> Hello Www-font,
>> Spotted recently:
>> "Which means that fonts in the WOFF format, even free ones, cannot
>> be used offline.
>> Free fonts in the WOFF format may thus have to be converted to
>> OpenType prior to packaging. "
>> http://www.w3.org/Style/2013/paged-media-tasks#embedded-fonts
>> I'm wondering how that conclusion is arrived at; not clear it is
>> correct.
> This seems mistaken, IMO. I'm cc'ing Bert Bos, as author of that document.

When I studied this a few months ago, it certainly looked as if WOFF couldn't be used with the "file:" protocol, nor with certain other URL schemes.

The CSS Fonts spec says that a font embedded via CSS's @font-face rule can only be used for a document if it and the document satisfy the "same origin" relation. (The exception is if the font is on an HTTP server and that HTTP server responds affirmatively if you ask it if you may use the font on a given other origin. The protocol for that is a bit weird: if you want to know if a document with URL prefix "proto://domain/" may use the font, you send the font server a HEAD or GET request with a special header "Origin: proto://domain" and the server responds with "Access-Control-Allow-Origin: proto://domain", which is a verbose way of saying "yes." And which only gives you the answer for a single origin at a time. But that aside.)

The problem is that the IETF spec that defines "same origin" only allows it to be true for certain protocols, and it says that UAs may treat two "file:" resources either as having different origins or the same origin. (Although the former is noted as being more secure.)

In other words, a local WOFF file cannot reliably be used for a local document. (And a WOFF file with certain other URL schemes, such as on peer-to-peer systems, with URNs instead of URLs, or with the proposed "ni:" URL scheme, can never be used for anything.)

But, the statement in the CSS Fonts spec about this is dubious, because it also appears to apply to other font formats, such as OpenType, which clearly *is* used locally.

Different browsers seem to do different things: If you open a local document that embeds a local WOFF font with Firefox, the font is not applied. But in Safari it is. Opera lets the user decide: it shows a (rather cryptic) dialog asking if you allow it to use the font.

Maybe we should change the CSS Fonts spec to say that the logic of RFC  6454 is reversed: two resources with URLs that are non-hierarchical or "file:" URLs always have the *same* origin instead of always different. After all, the reason the RFC defaults to "different" is because it assumes security reasons, while CSS Fonts deals with copyright.

And I think the spec should also limit the use of "origin" to WOFF, or add something like "in the absence of other mechanism." EOT, e.g., already has a better system built-in and there may be, e.g., RDF-based solutions later, such as proposed by Creative Commons.

> [1] http://www.w3.org/TR/WOFF/
> [2] http://dev.w3.org/csswg/css-fonts/#font-fetching-requirements

  Bert Bos                                ( W 3 C ) http://www.w3.org/
  http://www.w3.org/people/bos                               W3C/ERCIM
  bert@w3.org                             2004 Rt des Lucioles / BP 93
  +33 (0)4 92 38 76 92            06902 Sophia Antipolis Cedex, France
Received on Thursday, 14 November 2013 15:29:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:36 UTC