Re: New work on fonts at W3C from Ben Weiner on 2009-06-22 (www-style@w3.org from June 2009)

From: Ben Weiner <ben@readingtype.org.uk>
Date: Mon, 22 Jun 2009 11:22:22 +0100
To: www-style@w3.org
CC: www-font@w3.org
Message-ID: <4A3F5B5E.6020308@readingtype.org.uk>
Hi all,

This thread seems to be wandering a little!

I think one interesting sub-thread looked at the question of whether 
Cross-Origin Resource Sharing ('CORS': 
http://www.w3.org/TR/access-control/) is suitable for use as a mechanism 
to prevent a couple of things that can happen when fonts are loaded 
remotely via css @font-face rules:
- use of third-party bandwidth
- use of third-party licenses.

Here are some notes for your consideration. They might help us to decide 
whether we are on the right track or not.


1. Using third-party bandwidth
==============================

Eg: fonts hosted on site X being called from css @font-face rules on 
site Y without the agreement of the owner of site X.

In the [non-normative] use-cases section of the draft CORS spec I read:

"The CSS @font-face construct prohibits cross-origin loads. With the
resource sharing policy someone could set up a Web service that sells
font licenses to selected servers and handles caching and bandwidth
usage for them." [http://www.w3.org/TR/access-control/#use-cases]

So here we have CORS as an enabler, lifting a restriction on 
cross-origin font loading.

The text I've quoted asserts that cross-origin loading of fonts is not 
compliant behaviour, but I could not find a corresponding assertion in 
the draft css3-fonts spec (I looked at 
http://www.w3.org/TR/css3-fonts/#font-reference-the-src-descriptor). I'm 
assuming that this proposal has not yet been considered by the people 
working on css3-fonts, but see 
https://developer.mozilla.org/en/HTTP_access_control which gives details 
of the policy that is implemented in Firefox 3.5. The question of access 
does not seem to be addressed explicitly in the Fonts Working Group 
charter ('FWG': http://www.w3.org/2009/03/fonts-wg-charter) but its 
relevance is heavily implied.

Note that "the @font-face linking mechanism is defined by the CSS 
Working Group, [...] although [the FWG] may propose changes to the CSS 
Working Group" and is out of scope for the FWG. 
[http://www.w3.org/2009/03/fonts-wg-charter#out]


2. Using third-party licenses
=============================

Eg: fonts licensed for site X being called from css @font-face rules on 
site Y without the agreement of the the person granting the licence.

I don't believe that CORS is intended to express licensing information 
or to enforce licence conditions. Again from the use-cases section of 
the draft spec: "The main motivation behind Cross-Origin Resource 
Sharing was to remove the same origin restriction from various APIs so 
that resources can be shared among different origins (i.e. servers)." 
This is a solution to a technical problem, not a commercial one.

In this case the proposed W3C Fonts Working Group seems to be the place 
to look for answers, rather than any current or draft specification 
including CORS. Personally, I'm hoping the outcome of the Fonts Working 
Group will break new ground on the expression of licensing information 
across all media. Hope springs eternal :-)


In summary
==========

On the bandwidth/server usage question, it looks as if CORS could help. 
For example it would allow font software vendors to host fonts 
themselves and sell licenses to web site owners. It would also enable 
OFLB (http://www.openfontlibrary.org/) to host permissively licensed 
fonts on behalf of the whole web community.

It would achieve this by opening up cross-origin access to the fonts -- 
an ability that now appears unnecessary, unless you're a user running 
Firefox 3.5, because common-origin restrictions within the @font-face 
spec [which as noted above, don't seem to exist right now] are not 
implemented in all @font-face supporting browsers that are currently 
shipping. So for CORS to be useful here, those restrictions would need 
to be part of the css3-fonts spec first.

On the licence question, I don't see anything in CORS that attempts to 
use software to grapple with this emotive area and I hope that remains 
the case. The Fonts Working Group seems to be the place; I read that the 
group "primarily conducts its work on the public mailing list 
www-font@w3.org" but I don't see much there: is anything happening? ;-) 
[http://lists.w3.org/Archives/Public/www-font/2009AprJun/]

My suggestion would be to assume that in the case of font linking with 
@font-face, CORS is for preventing the use of third-party bandwidth and 
not for expressing or enforcing the conditions of a licence. Your 
better-informed responses please!

Cheers,
Ben

-- 
Ben Weiner | http://readingtype.org.uk/about/contact.html
Received on Monday, 22 June 2009 10:52:17 UTC