Re: New work on fonts at W3C

On Jun 23, 2009, at 2:30 AM, Anne van Kesteren wrote:

> On Mon, 22 Jun 2009 19:13:30 +0200, Brad Kemper  
> <brad.kemper@gmail.com> wrote:
>> Are you saying that there is a technical barrier to having CORS
>> provide restrictions instead of just easing restrictions, because it
>> would need to prevent a resource from loading instead of just
>> preventing it from executing? Or is it more of a philosophical  
>> problem
>> because that was not the original intent of the standard?
>
> Imposing restrictions is something the WG considered to be out of  
> scope very early on for reasons I and others already explained.

The only reasons I've heard have either been absurd, or left requests  
for clarification unanswered.

It seems absurd to me that if a Web site owner indicated that certain  
images were not to be used in cross-site linking, that there would be  
massive breakage of the Web, presumably because so much of the Web  
depends on copyright violation, and violation is more important than  
protection. I don't see that there is really that much violation going  
on though. Either resources are copied outright, or the images are not  
intended to be restricted, or the only people that would be effected  
by the restrictions are thieves that would be just as foiled (at least  
temporarily) by the image owner removing the image or moving it to a  
different directory. That hardly sounds to me like something that  
would cause massive breakage.

Besides images, a restrictive header could also be used to prevent  
illegal iframing of pages, such as what currently aids phishing  
attacks and click-jacking.

Blocking ALL cross-site linking to a particular file type and then  
turning it off on a case-by-case basis (such as Firefox 3.5 will) is a  
much blunter hammer than just letting the site owners determine what  
they do and do not want restricted and then honoring that decision.

> (CORS can be used for images by the way, but not for imposing  
> restrictions on whether they can be displayed, but whether they can  
> be round-tripped through <canvas>.)
>
> I'm not sure why this thread became cc'ed to the WHATWG list by the  
> way.

Neither do I.

> The WHATWG has nothing to do with CORS. The W3C WebApps WG is  
> working on it. If people want to continue debating CORS I suggest  
> they subscribe to public-webapps@w3.org and make coherent proposals  
> there.

I don't care that much about all Web apps, but this one seems to have  
particular relevance to the issue here. If the draft of a standard on  
resource sharing is going to allow headers that say what sites can  
share, but refuse to use those to restrict access from other sites,  
then we (site owner/authors/font-licensees and foundries) are forced  
to look for some other way. We end up spinning our wheels trying to  
make CSS or the font itself restrict access, instead of handling it in  
the place that would be most natural.

Received on Tuesday, 23 June 2009 14:16:58 UTC