- From: Glenn Adams <glenn@skynav.com>
- Date: Sat, 18 Jun 2011 16:31:25 -0600
- To: Jonathan Kew <jonathan@jfkew.plus.com>
- Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, John Hudson <tiro@tiro.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
- Message-ID: <BANLkTi=sPRtxpO0pDSzhM7rcKTG__zq5UA@mail.gmail.com>
I understand your argument, but Samsung does not agree with it:
1. we don't believe that mandating same-origin rules in a UA w.r.t. font
loading will encourage more widespread availability or use of webfonts; in
contrast, we do believe that completing WOFF and CSS3-FONTS and their rapid
adoption by UA implementers in a consistent, interoperable manner will
encourage more widespread use;
2. we don't believe (and are in fact strongly opposed) to defining such
rules in either WOFF or CSS3-FONTS, for the simple reason that neither of
these mechanisms define a proceses for accessing font resources; i.e., they
have no {FETCH,ACCESS}-RESOURCE primitive;
3. we do believe that it would be useful to define the *optional* use of
same-origin mechanisms in those specifications that do define a
{FETCH,ACCESS}-RESOURCE primitive, such as in the HTML5 specification, where
by *optional* we mean optional at two layers: (a) at the UA implementation
layer, and (b) at the UA's user preferences layer; that is, a UA implementer
should be able to decide whether or not to support same-origin, and if
supported, a user should be able to opt-out or, conversely, opt-in to
same-origin restrictions at a level of granularity determined by UA
implementer;
At this point, I believe I've stated the Samsung position clearly, and there
is no need to further elaborate. I will await the WGs' resolution of this
matter, and will be available for any teleconference or meeting that wishes
to discuss further.
Regards,
Glenn
On Sat, Jun 18, 2011 at 4:18 PM, Jonathan Kew <jonathan@jfkew.plus.com>wrote:
> On 18 Jun 2011, at 22:45, Glenn Adams wrote:
>
> > On Sat, Jun 18, 2011 at 11:17 AM, Tab Atkins Jr. <jackalmage@gmail.com>
> wrote:
> >> On Fri, Jun 17, 2011 at 6:47 PM, Glenn Adams <glenn@skynav.com> wrote:
> >> > In any case, a font file format (WOFF) and a font referencing system
> >> > (@font-face) do not need to have a security story. Describing fonts
> (the
> >> > format) and referring to them (the referencing system) does not
> require them
> >> > to be accessed. Access is part of the UA regime, and if there is
> policy and
> >> > controls on access, it should be defined at the UA layer, not the file
> >> > format or reference layer.
> >>
> >> The use of fonts on the web needs these sorts of restrictions. Do you
> >> have a concrete reason why they shouldn't be specified as they are
> >> (perhaps you're implementing CSS in a non-web context and don't
> >> believe the restrictions are useful in your context), or are you
> >> objecting on theoretical purity concerns?
> >>
> > First, I don't agree with your premise "that the use of fonts on the web
> needs these sorts of restrictions". That is a general statement that, while
> true in some cases, is not true in other cases.
>
> Certainly it is not true for every use of fonts on the web. Let me try
> rephrasing roughly what I think Tab probably meant. I believe (and I think
> the Web Fonts Working Group in general agrees) that specifying these sorts
> of restrictions as normative behavior for user agents implementing the
> @font-face rule will encourage more widespread availability and use of fonts
> on the web, by helping to mitigate some of the fears regarding abuse of the
> resources that are deployed. The rapid growth of Web Fonts services and
> usage over the past year or so, in the light of the emerging WOFF
> specification (which has always been understood as associated with a
> same-origin restriction by the typographic community) appears to support
> this belief.
>
> For those cases where the restrictions are not desired, simple mechanisms
> are provided to relax them. So those "other cases" that do not need
> restrictions are not blocked by this.
>
> >
> > Second, I am not saying "they shouldn't be specified". I'm saying they
> (same-origin mandate) should not be specified in WOFF or CSS3-FONTS. These
> are not the correct place to mandate or enforce such restrictions.
>
> I agree that WOFF is not the most appropriate place to mandate these
> restrictions, and the WG has expressed its willingness to remove this from
> the WOFF specification if and when it is dealt with elsewhere. It seems to
> me that CSS3 Fonts is, however, an entirely appropriate place to address the
> issue: this is where @font-face is specified, and the default same-origin
> requirement (along with the means to relax it) is intended to be an integral
> part of @font-face.
>
> JK
>
>
Received on Saturday, 18 June 2011 22:32:15 UTC