Re: WebFonts ready for use

On Apr 30, 2008, at 1:15 AM, Erik Dahlström wrote:

> On Tue, 29 Apr 2008 04:17:45 +0200, Maciej Stachowiak  
> <> wrote:
>> On Apr 22, 2008, at 8:13 PM, Brad Kemper wrote:
>>> On Apr 22, 2008, at 2:50 PM, Paul Nelson (ATC) wrote:
>>>> Given the other discussions on this list with regards to [...]  
>>>> sharing embedded fonts between pages, the concept of using raw  
>>>> fonts on the internet is still of great concern to commercial  
>>>> font vendors.
>>> What is the danger of sharing fonts between pages, if they could  
>>> be somehow verified to be the same font first, which would really  
>>> be a prerequisite to doing so (to prevent abuse to the page from  
>>> another site's pages). If it is the same font, and only existed in  
>>> the browser's RAM, then how can that hurt font vendors? All it  
>>> does is prevent the same font from having to load twice.
>> I think Safari/WebKit will indeed load the font once if loaded from  
>> the same URL (for example if two documents share a stylesheet  
>> referencing the font or if they have different stylesheets  
>> referencing the same font URL). We do not attempt to optimize for  
>> the case of bitwise identical font files loaded from different URLs  
>> - I am not sure this would be worth it.
>> I do not think either form of sharing is precluded by the spec, or  
>> security or IP considerations. These are simply transparent  
>> performance optimizations.
>> What is not OK (in my opinion) is exposing the font to Web pages  
>> that don't have an @font-face rule for it in their stylesheet,
> Once a webfont has been installed for use in a UA I don't see why it  
> would have to be limited to the webpage that included the @font- 
> face. I'm for example thinking of the case where all the systemfonts  
> didn't contain glyphs for some particular range, while a webfont  
> happened to do so. I think in such a situation it would be better to  
> show some text using the webfont rather than to show missing glyphs  
> (usually hollow rects) or even no text at all.

I think this still creates security risk from malicious fonts. Also,  
it would make it difficult for authors to serve a font only licensed  
for embedding in documents they produce, since the UA may use it for  
other documents without any deliberate action on the part of either  
the site or the user.

>> or installing it on the system where random documents and  
>> applications can see it. That would be a security risk and would  
>> not even conceptually be embedding.
> I agree it shouldn't be installed on the system so that other  
> applications can see it.

I think unrelated pages that do not request the font are conceptually  
the same as other applications, for purposes of this analysis.


Received on Wednesday, 30 April 2008 10:30:04 UTC