- From: Rik Cabanier <cabanier@gmail.com>
- Date: Wed, 28 May 2014 16:09:14 -0700
- To: "Tab Atkins Jr." <jackalmage@gmail.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, "www-style@w3.org" <www-style@w3.org>, Domenic Denicola <domenic@domenicdenicola.com>
- Message-ID: <CAGN7qDCg5tzMU5FOVYLt61e=QHZAi-V7jjFgeWARVpiF38taOw@mail.gmail.com>
On Wed, May 28, 2014 at 2:23 PM, Tab Atkins Jr. <jackalmage@gmail.com>wrote: > On Wed, May 28, 2014 at 1:34 PM, Rik Cabanier <cabanier@gmail.com> wrote: > > Is there anything you can actually do today with a font in a worker? It > > seems like this should be put at-risk immediately :-) > > Canvas-in-workers is a specced thing, and you'll need FontFace to draw > text there. It is specced but it wasn't based on anyone's input. Mozilla had an alternate proposal that they were going to investigate but AFAIK that hasn't happened yet. > > The spec doesn't mention anything about CORS or fetching. Should it not > > reference or at least mention it? > > I dunno, should it? I explicitly say to attempt to load it as defined > in Fonts, so I assumed that all the text in Fonts applies > automatically, including same-origin/etc. There are unsolved issues with CORS from a worker. The Fonts spec didn't have to deal with that. > > You can construct a 'FontFace' with random data. Wouldn't that be > dangerous? > > No more dangerous than loading a font that's actually just random data > today. (In other words, probably a little bit, yeah, but there's no > way around it besides hardening your font stack.) > > > Also, passing invalid font data should fail somehow but your algorithm > > doesn't cover that. > > Sure I do - if it fails to load, it rejects the promise and sets its > status to "error". This happens both for binary data (in the > constructor) and network-loaded fonts (in the load() method). > Ok, I guess I was confused by the fact if you pass a URL, the font isn't loaded but with a blob it is. Maybe change: If the load was successful To: If the parsing was successful Is there a reason why there is this distinction? Why not always require 'load'? The author has to wait for the font to be parsed anyway.
Received on Wednesday, 28 May 2014 23:09:41 UTC