Re: [css3-webfonts] Downloaded fonts should not... from Patrick Garies on 2008-04-15 (www-style@w3.org from April 2008)

From: Patrick Garies <pgaries@fastmail.us>
Date: Tue, 15 Apr 2008 13:16:09 -0500
To: Brad Kemper <brkemper@comcast.net>
CC: www-style@w3.org
Message-ID: <4804F0E9.2080407@fastmail.us>

Brad Kemper wrote:
>  I see. So, for instance, you would want to prevent someone from, say,
>  associating helvetica or arial with a downloadable font full of
>  company logos or pornographic cartoons, etc.

Yes. You’re changing the rendering environment of independent documents 
that may not be under your control.

>  That seems wise, but it still means the exact same (popular) font
>  might end up being downloaded multiple times from every site that
>  uses it.

The same holds true for files in other formats. Why except font formats? 
For example, when sites use the same popular image or 
ECMAScript/JavaScript library, users may have to download those files 
multiple times.

>  Anyone know if Webkit works that way?

You could download a build [1] and run a test. I’m not going to bother 
right now though since I’m on dial‐up and have to go to work soon.

[1] <http://nightly.webkit.org/builds/trunk/win/1>

>  I would prefer if it could be downloaded once and then used from any
>  page with an @font-face specifying the same font name, provided there
>  could be some sort of quick check that it was the exact same font
>  (digital signatures or something, perhaps).

I don’t think that such a mechanism should be specified via CSS work. I 
really don’t know how you’d specify such a thing anyway. Signatures can 
be forged and you can’t definitively tell if two files are identical 
except by downloading them (which would defeat the point).

>  Which in turn means that I will need a separate version for my https
>  site than for my http site, right? Otherwise the browser might
>  display some sort of warning about mixed security on the page if I
>  have the http URI on the https page, right? Any way around that?

This is a user agent issue. If there’s a problem with it, talk to the UA 
vendor.

Assuming that you can’t live with such a warning message for fear that 
your users will panic and that downloading the font file a second time 
is unacceptable, you could always scrap use of the font in HTTPS 
documents. You might also use an HTTPS font file for even HTTP pages, 
but then, I assume, you would still get the mixed content message and 
ignorant users might still panic even though their page is /more/ 
secure. Or you could just not use this feature at all.

Also, isn’t this another one of those things that would apply to other 
file formats? Again, why except font file formats?

>  I suppose if IE was the only one to display those annoying alerts
>  (that most people ignore but some people are alarmed by), then it
>  wouldn't matter much, since MS seems to be against supporting font
>  downloads that are not in their EOT format anyway. Or would IE
>  display the alert anyway, even though it wouldn't load the font?I
>  wouldn't presume that IE would suppress the alert when it didn't
>  matter; that would probably make too much sense, and I've long ago
>  given up on IE having reasonable, logical, predictable behavior.

You’d have to ask someone at Microsoft about that.

Received on Tuesday, 15 April 2008 18:16:53 UTC