Re: css3-fonts: should not dictate usage policy with respect to origin

Hi Glenn,

You write that you've proposed several different alternatives to the existing origin restriction requirement in the CSS3 Fonts specification.  However, all of these seem to be to achieve the same effect, that is to make origin restrictions on fonts loading via @font-face rules optional in one form or another, either by changing "must" clauses to "should" clauses or by spinning the requirements out to other specs.

The one thing I would like to understand is whether this is simply because of the specified origin restriction mechanism (i.e. same origin restricted by default using CORS to relax or explicit restriction via the proposed From-Origin header).  Are you objecting to either of these being required behavior or just the former of these two proposals?

I've read through your messages and I'm still not seeing a compelling reason to make the existing requirements optional, if anything recent events emphasize the compelling reasons for this requirement.  Issues like this related to security are even more important for relatively closed environments like set-top boxes where updates are infrequent.

As background, I think it would be useful to read through a description of a recent WebGL security issue below.  The context is slightly different but the issue is the same, especially what is described in the section "Cross-Domain Image Theft":

My intention is to bring up the specific issue as to whether to make this requirement optional or not during next week's CSS WG call, I think it's best to have a formal resolution on this issue.


John Daggett
CSS3 Fonts Editor

Received on Wednesday, 29 June 2011 17:56:33 UTC