Re: css3-fonts: should not dictate usage policy with respect to origin

On Jun 20, 2011, at 9:49 , Florian Rivoal wrote:

> On Mon, 20 Jun 2011 02:55:38 +0900, John Hudson <tiro@tiro.com> wrote:
> 
>> I'm broadly in agreement with this approach. My preference is for
>> 
>> a) the From-Origin header to be formally drafted and proposed, and to find an appropriate home in W3C recommendations, and
>> 
>> b) for this to be normatively referenced in the 'Webfont Conformance Specification'.
>> 
>> Our concern at the moment is that we don't want to remove all reference to same origin mechanisms from draft webfonts documents while they remain uncovered elsewhere, because we have good reason to suppose that this will shake confidence in the WOFF model among some stakeholders. Many font vendors have begun licensing fonts in the WOFF format on the reasonable assumption, after two years, that some form of same origin restriction will apply to them.
>> 
>> I suspect that drafting the chartered 'Webfont Conformance Specification' will be a priority for the WG now.
> 
> I agree this is probably the way to go. There is only an editor's draft so
> far for the From-Origin header, but that's already better than the blog
> entry you and I pointed to earlier.
> 
> http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html


I don't think that this was what was previously agreed.  I am under the impression that the agreement is that no format document will mention same-origin restrictions, but that CSS Fonts will say that the default same-origin restriction for fonts is that it is same-origin, which can be over-ridden with an explicit use of the same-origin header.

This means those intentionally putting libraries of fonts on the internet with the intention that they be usable in-place (not downloaded to the site that uses the font in their documents) will need to say so explicitly, but this doesn't seem unreasonable - they are either selling fonts or doing a give-away of fonts and bandwidth.

On Jun 21, 2011, at 7:41 , Florian Rivoal wrote:

>> True, and this is why I believe it is important to define what the default initial state is. I'd guess that the default state for many resource types would be "From-Origin=any" but it can also be resource type specific, so there can be cases (e.g. webfonts?) where setting a default to "From-Origin=same" could make sense. It really needs to be looked at from an author point of view and whether a particular default state would make authors' life easier or not.
> 
> In the current Form-Origin proposal, From-Origin=any is achieved by not having the header. I am not sure I agree that not having this header should mean different things for different types of resources. Consistency and predictability leads to fewer bugs.

Correct, it is not tied to the type of the resource, it's tied to how it is used (linked from @font-face) which is inline with other usage restrictions today.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Tuesday, 21 June 2011 14:10:17 UTC