Re: css3-fonts: should not dictate usage policy with respect to origin

To follow-up on this a bit more, it would be acceptable to include the basic
intent expressed by section 4.8 if it were replaced with the following text:

"If a user agent that makes normative use of this specification includes a
same-origin policy, then that policy, and the mechanisms it uses to enforce
that policy should apply to the loading of fonts via the @font-face

Even here, I am reticent to use the word "must" and instead use "should",
since a UA implementer that employs cross-origin constraints should still be
free to use this mechanism without necessarily using the same constraints.


On Fri, Jun 17, 2011 at 3:33 PM, Glenn Adams <> wrote:

> In [1], section 4.8, are specified constraints on use of css 3 fonts
> features, and, in particular, mandate cross origin reference constraints and
> the use of CORS.
> Such constraints constitute policy requirements that are unrelated to the
> definition of the underlying mechanisms defined by css3-fonts. Furthermore,
> effective use of the defined mechanisms does not depend on such a policy.
> Therefore, these policy requirements should be removed.
> If a specification defining UA behavior makes reference to css3-fonts and
> wishes to impose such a policy, then it may do so independently, and without
> affecting the functionality of the css3-fonts mechanism itself. Note that
> under a heading of "Security Issues", it may be indicated that such a policy
> may need to be defined and enforced by an external mechanism, defined
> outside of this specification.
> Please consider this a formal comment (and objection) from Samsung to
> imposing such policy constraints in this specification.
> Regards,
> Glenn Adams (for Samsung)
> [1]

Received on Friday, 17 June 2011 22:18:23 UTC