Re: css3-fonts: should not dictate usage policy with respect to origin


On Wed, Jun 29, 2011 at 11:55 AM, John Daggett <> wrote:

> Hi Glenn,
> You write that you've proposed several different alternatives to the
> existing origin restriction requirement in the CSS3 Fonts specification.
>  However, all of these seem to be to achieve the same effect, that is to
> make origin restrictions on fonts loading via @font-face rules optional in
> one form or another, either by changing "must" clauses to "should" clauses
> or by spinning the requirements out to other specs.
> The one thing I would like to understand is whether this is simply because
> of the specified origin restriction mechanism (i.e. same origin restricted
> by default using CORS to relax or explicit restriction via the proposed
> From-Origin header).  Are you objecting to either of these being required
> behavior or just the former of these two proposals?

either, but only the case of UAs that do not already implement same origin
requirements or are not otherwise mandated to do so (e.g., mandated by
HTML5); we want existing HTML4/XHTML1 category UAs that do not otherwise
implement same origin to be able to normatively make use of css3-fonts and
woff without bringing same origin into the picture;

i've repeated this basic objection some number of times now

> I've read through your messages and I'm still not seeing a compelling
> reason to make the existing requirements optional, if anything recent events
> emphasize the compelling reasons for this requirement.  Issues like this
> related to security are even more important for relatively closed
> environments like set-top boxes where updates are infrequent.

the primary motivation from our perspective is:

   1. maintaining interoperability while permitting forward compatibility
   with HTML4/XHTML1 class UAs or any similar UA that does not already
   implement same origin restrictions;

 secondary motivations include:

   1. the desire to avoid introducing an asymmetry in css derived resource
   fetch processing, namely, where same origin applies only to fonts but to no
   other css derived fetch

As background, I think it would be useful to read through a description of a
> recent WebGL security issue below.  The context is slightly different but
> the issue is the same, especially what is described in the section
> "Cross-Domain Image Theft":
i will take a look at this, but it sounds like "content protection" and DRM
scope to me just from the phrase "image theft"

> My intention is to bring up the specific issue as to whether to make this
> requirement optional or not during next week's CSS WG call, I think it's
> best to have a formal resolution on this issue.
> Regards,
> John Daggett
> CSS3 Fonts Editor

Received on Wednesday, 29 June 2011 18:40:41 UTC