W3C home > Mailing lists > Public > www-style@w3.org > May 2014

Re: [css-font-loading] feedback

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Wed, 28 May 2014 14:23:48 -0700
Message-ID: <CAAWBYDAeZAuVpwFrC=FbY+1vARj9jYoYu6-uPYjM5h0pZ7mPdg@mail.gmail.com>
To: Rik Cabanier <cabanier@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "www-style@w3.org" <www-style@w3.org>, Domenic Denicola <domenic@domenicdenicola.com>
On Wed, May 28, 2014 at 1:34 PM, Rik Cabanier <cabanier@gmail.com> wrote:
> Is there anything you can actually do today with a font in a worker? It
> seems like this should be put at-risk immediately  :-)

Canvas-in-workers is a specced thing, and you'll need FontFace to draw
text there.

> The spec doesn't mention anything about CORS or fetching. Should it not
> reference or at least mention it?

I dunno, should it?  I explicitly say to attempt to load it as defined
in Fonts, so I assumed that all the text in Fonts applies
automatically, including same-origin/etc.

> You can construct a 'FontFace' with random data. Wouldn't that be dangerous?

No more dangerous than loading a font that's actually just random data
today.  (In other words, probably a little bit, yeah, but there's no
way around it besides hardening your font stack.)

> Also, passing invalid font data should fail somehow but your algorithm
> doesn't cover that.

Sure I do - if it fails to load, it rejects the promise and sets its
status to "error".  This happens both for binary data (in the
constructor) and network-loaded fonts (in the load() method).

~TJ
Received on Wednesday, 28 May 2014 21:24:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:51:27 UTC