Re: New work on fonts at W3C from Brad Kemper on 2009-06-23 (www-style@w3.org from June 2009)

From: Brad Kemper <brad.kemper@gmail.com>
Date: Tue, 23 Jun 2009 10:00:59 -0700
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "Mikko Rantalainen" <mikko.rantalainen@peda.net>, François REMY <fremycompany_pub@yahoo.fr>, "Robert O'Callahan" <robert@ocallahan.org>, "CSS 3 W3C Group" <www-style@w3.org>
Message-Id: <7E0B65D9-867F-40AA-9E3A-6969FEAABAF0@gmail.com>

On Jun 23, 2009, at 8:26 AM, Anne van Kesteren wrote:

> That is not the only concern, though even if you disagree a feature  
> that has negative impact when incorrectly used on clients that  
> support it is certainly considered to be problematic by  
> implementors. The other concern is that a simple proxy server can  
> circumvent the limitation in most cases (when credentials are not  
> involved).

That other concern is no more or less an issue with CORS than when it  
is used as currently specified. Currently, it says you can have  
headers that relax restrictions. Those can also be broken by a proxy  
server in the same way, preventing the resource from being used in  
places where it should be allowed. It still comes down to a WG  
deciding that relaxing restrictions is more important than setting  
restrictions, instead of leaving this decision to the Web publisher.

>> Besides images, a restrictive header could also be used to prevent
>> illegal iframing of pages, such as what currently aids phishing  
>> attacks
>> and click-jacking.
>
> CORS is not a solution for this. (Also, solutions for this  
> particular problem are floating around, but there's no agreement yet  
> on what exactly it should be.)

I don't see why it couldn't be, if it expanded its role just a bit. A  
page has headers too, and the UA could check those headers before  
displaying the page in a frame or iframe.

>> I don't care that much about all Web apps, but this one seems to have
>> particular relevance to the issue here. If the draft of a standard on
>> resource sharing is going to allow headers that say what sites can
>> share, but refuse to use those to restrict access from other sites,  
>> then
>> we (site owner/authors/font-licensees and foundries) are forced to  
>> look
>> for some other way. We end up spinning our wheels trying to make  
>> CSS or
>> the font itself restrict access, instead of handling it in the place
>> that would be most natural.
>
> I do not see why fonts ought to get special treatment and cannot be  
> treated just like images, videos, etc.

Well, exactly. That's why I prefer a general solution such as CORS, to  
an issue that font creators are having with their property being too  
freely available. They are the ones that are preventing wide spread  
adoption right now, but a general solution would help many others with  
IP they would like to make accessible on a more restricted basis.

Received on Tuesday, 23 June 2009 17:01:37 UTC