RE: css3-fonts: should not dictate usage policy with respect to origin

First, there is no such thing as a ‘retro-active requirement’. New drafts only affect future implementations. As there are no explicit or implicit requirements for you to go back and fix legacy devices every time a draft specification is updated, the claim that such an obligation is forcing you to object has no basis and thus no compromise seems necessary to resolve it. Since you point out that you have no objection to this requirement for new ‘HTML5’ devices, I wonder if you could elaborate on what makes you believe those devices that predate it must be updated to conform to it?

Second, as some of us have successfully deployed this font access policy to hundreds of millions of users, we do have some understanding of its real-world impact and I am available to answer any questions you may have on the matter. In Microsoft’s case, many of our users still run a 10 year-old browser on a 10 year-old OS (as you say, PCs *can* be updated more easily; it doesn’t follow that they are…) running an implementation of @font-face originally based on a specification older than css3-fonts’ first draft. We also support a legacy font encoding (EOT) and apply same-origin restrictions to resources in this format in our latest release; we do so despite the fact that no such requirement ever existed for EOT, never mind that EOT supports its own origin restriction mechanism. Our older releases (as well as emulations of these older releases) do, however, remain unchanged and still download EOT fonts from all origins; precisely because, yes, this would be a breaking change, because our customers expect older versions to remain stable i.e. compatible with our implementation of the standards of their time…and because there are no ‘retro-active requirements’ to update these older releases.

By the way, since the change you request would likely conflict with deployed IE and Firefox implementations by making failure scenarios valid, wouldn’t you expect Mozilla and Microsoft to object for the same reasons? Surely such a change would be as retro-active on our UAs as it is on yours? Shouldn’t this impact also be taken into account?
Third, I do not believe I made an unfair generalization of your argument; but I find it encouraging that you seem to disagree with a generalization of it. Maybe you believe your request justified because of its narrow and targeted nature, as you perceive it? It could explain part of the gap in understanding we’re struggling with.

To summarize, you are stating that the existence of Samsung CE devices implementing a prior draft of CSS3 Fonts requires you to formally object to those changes that are incompatible with these devices. In the absence of any concrete expectation or demand by the CSS WG or the Fonts WG that you update these products to conform with a requirement drafted after they were designed and released, and in the absence of any use-case demonstrating end-user harm – a UA that loads fonts from all origins will render all pages designed for UAs that enforce SOR - I consider your objection unreasonable as stated and see no further action that can, or should, be taken.

I do, of course, welcome discussion of this requirement on its own merits or lack thereof, as it may be.


From: www-style-request@w3.org [mailto:www-style-request@w3.org] On Behalf Of Glenn Adams
Sent: Thursday, June 23, 2011 1:22 PM
To: Sylvain Galineau
Cc: liam@w3.org; Levantovsky, Vladimir; StyleBeyondthePunchedCard; public-webfonts-wg@w3.org; www-font@w3.org; Martin J.
Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

One must recognize that (1) UAs deployed in CE devices are not the same category as PCs, which can be updated more easily; (2) css3-fonts has been under development for an inordinately long time and the need for @font-face implementations has existed since the beginning; (3) UAs *are* deployed that use @font-face and that do not support HTML5 or same-origin.

These are facts that should be considered, and as a representative of a company that has deployed such UAs, Samsung will continue to object to a retroactive requirement on these UAs to support same origin. We do not, however, have the same position for HTML5 category UAs that are now appearing in the field.

Of course, a WG is entitled to change a non-final spec in a non-backward compatible manner, but in doing so should take into account the impact of such a change. Finally, I did not suggest such a generalization as you state below.

I am attempting to find compromise language that Samsung can live with. Are you interested in finding a compromise that can remove our objection or not?

G.

On Thu, Jun 23, 2011 at 2:11 PM, Sylvain Galineau <sylvaing@microsoft.com<mailto:sylvaing@microsoft.com>> wrote:
As a *draft* specifications, css3-fonts and WOFF can certainly define new requirements for future implementations. Your entire argument would imply that once a draft has been implemented future versions of the spec must be compatible with those implementations. This is not the way CSS works; no implementation that implemented a given draft is guaranteed conformance with the next one. The main motive for vendor prefixes is to allow specifications to evolve without breaking implementations. That historical implementations did not prefix their @font-face implementation should not block us from achieving both interoperability and desirable runtime behavior in future implementations.


From: public-webfonts-wg-request@w3.org<mailto:public-webfonts-wg-request@w3.org> [mailto:public-webfonts-wg-request@w3.org<mailto:public-webfonts-wg-request@w3.org>] On Behalf Of Glenn Adams
Sent: Thursday, June 23, 2011 12:59 PM
To: liam@w3.org<mailto:liam@w3.org>
Cc: Levantovsky, Vladimir; StyleBeyondthePunchedCard; public-webfonts-wg@w3.org<mailto:public-webfonts-wg@w3.org>; www-font@w3.org<mailto:www-font@w3.org>; Martin J.

Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

Samsung supports your suggestion below if it is expressed either as "should" or made conditionally mandatory, where the condition is expressed as follows or an equivalent:

"If the use of WOFF occurs in a context where same origin access constraints are *already* present/supported, then that mechanism *must* be used to limit access to WOFF fonts; otherwise, such a mechanism *should* be provided for such use."

We do not want the use of WOFF by itself, or css3-fonts, by itself, to trigger a mandatory requirement for same origin processing in contexts that don't already support such constraints. For example, in HTML4 or XHTML1 category UAs that already support @font-face or that wish to support WOFF.

We note that the @font-face rule has been defined in css3-fonts since 31 July 2001, and that a variety of UAs have been fielded in the non-desktop environment (e.g., mobile, television, etc), which employ @font-face for accessing other non-WOFF fonts, and do so without same origin restrictions. This would argue against introducing a non-backward compatible change in css3-fonts to mandate same origin processing for prior fielded implementations that do not otherwise support same origin. WOFF similarly should not by itself trigger mandatory support for same origin in such UAs.

G.
On Thu, Jun 23, 2011 at 11:30 AM, Liam R E Quin <liam@w3.org<mailto:liam@w3.org>> wrote:
The WOFF spec could say in its conformance section (right in the spec,
not in a separate document) that for use in style sheets (not only CSS)
an implementation-defined mechanism should (must?) be available to limit
access to the WOFF resource outside of support for the style sheets, and
maybe give same-origin as an example.