Re: [css-font-loading] feedback

On Wed, May 28, 2014 at 2:23 PM, Tab Atkins Jr. <jackalmage@gmail.com>wrote:

> On Wed, May 28, 2014 at 1:34 PM, Rik Cabanier <cabanier@gmail.com> wrote:
> > Is there anything you can actually do today with a font in a worker? It
> > seems like this should be put at-risk immediately  :-)
>
> Canvas-in-workers is a specced thing, and you'll need FontFace to draw
> text there.


It is specced but it wasn't based on anyone's input.
Mozilla had an alternate proposal that they were going to investigate but
AFAIK that hasn't happened yet.


> > The spec doesn't mention anything about CORS or fetching. Should it not
> > reference or at least mention it?
>
> I dunno, should it?  I explicitly say to attempt to load it as defined
> in Fonts, so I assumed that all the text in Fonts applies
> automatically, including same-origin/etc.


There are unsolved issues with CORS from a worker. The Fonts spec didn't
have to deal with that.


> > You can construct a 'FontFace' with random data. Wouldn't that be
> dangerous?
>
> No more dangerous than loading a font that's actually just random data
> today.  (In other words, probably a little bit, yeah, but there's no
> way around it besides hardening your font stack.)
>
> > Also, passing invalid font data should fail somehow but your algorithm
> > doesn't cover that.
>
> Sure I do - if it fails to load, it rejects the promise and sets its
> status to "error".  This happens both for binary data (in the
> constructor) and network-loaded fonts (in the load() method).
>

Ok, I guess I was confused by the fact if you pass a URL, the font isn't
loaded but with a blob it is.
Maybe change:

If the load was successful

To:

If the parsing was successful

Is there a reason why there is this distinction? Why not always require
'load'? The author has to wait for the font to be parsed anyway.