- From: Zack Weinberg <zackw@panix.com>
- Date: Fri, 3 Apr 2015 11:53:30 -0400
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "www-style@w3.org" <www-style@w3.org>
On Fri, Apr 3, 2015 at 4:52 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> I'm defining X-Content-Type-Options which can be used to prevent
> sniffing. I think it would make sense to support this header for
> various font loading features that currently ignore MIME types.
> However, that requires a list of font MIME types. Where should we keep
> the definitive list? In the Font Loading specification?
I researched this back in 2011
<https://www.owlfolio.org/htmletc/strawman-mime-type-for-fonts/>. At
that time the only officially registered MIME type for a font format
was "application/font-tdpfr", corresponding to an obsolete format that
has never been implemented by any browser to my knowledge. The IANA
registry now also includes application/font-sfnt and
application/font-woff, but I doubt either of them has significant
traction. In 2011, types being used (completely unofficially) for
fonts included application/octet-stream, application/ttf,
application/otf, application/truetype, application/opentype,
application/woff, application/eot, all of the above with an x-prefix,
and all of the above in font/ instead of application/, with or without
the x-. I did not check whether Content-Type headers that specified a
particular format were accurate.
All the font formats that browsers actually support are unambiguously
identifiable by their in-band metadata ("magic numbers" and the like)
and it is therefore my opinion that, like images, font formats SHOULD
be identified using that metadata, *not* any out-of-band declaration
(in other words, browsers SHOULD continue to ignore the MIME type for
fonts).
zw
Received on Friday, 3 April 2015 15:53:56 UTC