Re: New work on fonts at W3C

On Tue, 23 Jun 2009 16:16:17 +0200, Brad Kemper <> wrote:
> On Jun 23, 2009, at 2:30 AM, Anne van Kesteren wrote:
>> Imposing restrictions is something the WG considered to be out of scope  
>> very early on for reasons I and others already explained.
> The only reasons I've heard have either been absurd, or left requests  
> for clarification unanswered.
> It seems absurd to me that if a Web site owner indicated that certain  
> images were not to be used in cross-site linking, that there would be  
> massive breakage of the Web, [...]

That is not the only concern, though even if you disagree a feature that has negative impact when incorrectly used on clients that support it is certainly considered to be problematic by implementors. The other concern is that a simple proxy server can circumvent the limitation in most cases (when credentials are not involved).

> [...] presumably because so much of the Web  
> depends on copyright violation, and violation is more important than  
> protection.

This has nothing to do with it.

> [...] I don't see that there is really that much violation going  
> on though. Either resources are copied outright, or the images are not  
> intended to be restricted, or the only people that would be effected by  
> the restrictions are thieves that would be just as foiled (at least  
> temporarily) by the image owner removing the image or moving it to a  
> different directory. That hardly sounds to me like something that would  
> cause massive breakage.

No, end users would be affected.

> Besides images, a restrictive header could also be used to prevent  
> illegal iframing of pages, such as what currently aids phishing attacks  
> and click-jacking.

CORS is not a solution for this. (Also, solutions for this particular problem are floating around, but there's no agreement yet on what exactly it should be.)

> Blocking ALL cross-site linking to a particular file type and then  
> turning it off on a case-by-case basis (such as Firefox 3.5 will) is a  
> much blunter hammer than just letting the site owners determine what  
> they do and do not want restricted and then honoring that decision.

Yeah, as I said I do not really think what Gecko does here is the way to go.

>> The WHATWG has nothing to do with CORS. The W3C WebApps WG is working  
>> on it. If people want to continue debating CORS I suggest they  
>> subscribe to and make coherent proposals there.
> I don't care that much about all Web apps, but this one seems to have  
> particular relevance to the issue here. If the draft of a standard on  
> resource sharing is going to allow headers that say what sites can  
> share, but refuse to use those to restrict access from other sites, then  
> we (site owner/authors/font-licensees and foundries) are forced to look  
> for some other way. We end up spinning our wheels trying to make CSS or  
> the font itself restrict access, instead of handling it in the place  
> that would be most natural.

I do not see why fonts ought to get special treatment and cannot be treated just like images, videos, etc.

Anne van Kesteren

Received on Tuesday, 23 June 2009 15:27:11 UTC