Re: css3-fonts: should not dictate usage policy with respect to origin

Christoph Päper wrote:

> There’s only one reasonable one, in my humble opinion.
> 
>>   - move same-origin requirements from WOFF and CSS3-FONTS to a third
>>   "WebFonts Conformance Specification";
> 
> Yes, this avoids layer and domain violations. 

I'm broadly in agreement with this approach. My preference is for

a) the From-Origin header to be formally drafted and proposed, and to 
find an appropriate home in W3C recommendations, and

b) for this to be normatively referenced in the 'Webfont Conformance 
Specification'.

Our concern at the moment is that we don't want to remove all reference 
to same origin mechanisms from draft webfonts documents while they 
remain uncovered elsewhere, because we have good reason to suppose that 
this will shake confidence in the WOFF model among some stakeholders. 
Many font vendors have begun licensing fonts in the WOFF format on the 
reasonable assumption, after two years, that some form of same origin 
restriction will apply to them.

I suspect that drafting the chartered 'Webfont Conformance 
Specification' will be a priority for the WG now.

[Note that I'm talking only about WOFF and Webfonts, and not about CSS. 
I think Jonathan Kew has made a reasonable argument as to why the CSS 
font module is actually a valid place for a same origin requirement, and 
perhaps others agree with him. There seems to me that there is a 
necessary discussion to be had about that.]

> The font file format (usually WOFF), the markup language (usually HTML), the stylesheet language (usually CSS) and the resource transfer protocol (usually HTTP) with origin restriction policies extensions (usually CORS/CORER) should not mandate one another, but there should be an umbrella specification labeled “Web Fonts” or some such, which font makers and vendors can expect browsers to conform (or comply) to. It should be issued by the W3C and it should not be made by the CSS WG.

The outstanding question for me is how reliable that expectation of 
conformance would be (not just for font makers/vendors, note, but for 
authors and users). Glenn has suggested that Samsung would treat any 
same origin requirement, wherever stated and using whatever mechanism, 
as optional, and the wording he has proposed makes this explicitly so. 
In other words, a UA could conform even if it chose to ignore the same 
origin requirement. I'm not happy about that, because I do think we 
should be able to reliably anticipate what a conformant UA will be doing 
when encountering a well-defined, standardised same origin mechanism. 
This affects not only author intent (whether in conformance with a 
license or for other reasons) but also user experience: presuming, 
reasonably I think, that a single user may be visiting the same site 
using different UAs on a variety of devices, having some UAs allow 
hotlinking of webfont resources and others not will create divergent 
user experiences. Yes, some measure of divergence is expected in dynamic 
content, but this doesn't seem an area in which there is any benefit.

JH

Received on Sunday, 19 June 2011 17:56:10 UTC