[webkit-dev] Same Origin Restriction on WOFF fonts across WebKit
abarth at webkit.org
Fri Jan 28 16:22:10 PST 2011
On Fri, Jan 28, 2011 at 4:07 PM, Maciej Stachowiak <mjs at apple.com> wrote:
> On Jan 28, 2011, at 3:44 PM, Adam Barth wrote:
>> On Fri, Jan 28, 2011 at 3:11 PM, Maciej Stachowiak <mjs at apple.com> wrote:
>>> On Jan 28, 2011, at 3:06 PM, Tab Atkins Jr. wrote:
>>>> The WOFF font specification requires that browsers apply Same Origin
>>>> Restrictions (SOR) to WOFF fonts. So far, Firefox and IE9 follow this
>>>> requirement, while we and Opera don't.
>>>> As far as I know, our lack of SOR is basically an accident; we
>>>> implemented support for WOFF before this requirement was added, and
>>>> just haven't gotten around to adding it in yet.
>>>> Chrome people seem amenable to applying SOR to WOFF fonts in Chrome.
>>>> Is it okay to add this across all our webkit ports?
>>> It's not an accident. It has been our intent to willfully ignore this requirement.
>> What's the long-term plan here? Are we hoping the other folks will
>> come around to this point of view eventually? From a game-theory
>> point-of-view, it seems likely that the most permissive behavior is
>> likely to become wide-spread over time.
> A number of us at Apple who have followed downloadable fonts are not keen on adding pseudo-DRM code to WebKit. That's not the way the Web has worked historically, and there doesn't seem to be a good reason to special-case fonts. It's true that other people have come to the opposite conclusion, but there doesn't seem to be much reason to take their point of view.
> We also think it's bad to have this requirement in the spec. But we are willing to ignore the spec if it's not changed, as with other specs that we think are a bad idea. I don't think we are too concerned with whether other implementors come around to this idea, since it's unlikely to hurt our compatibility. We think of it as having an extra feature.
> Bottom line: if there's a strong desire to do this for Chrome, please at least make it switchable so we don't have to enable it for Safari.
Thanks for the info. I haven't been following the discussion closely,
but I understand that there was some disagreement on this topic. I'm
happy to deter to the folks who understand the issue in more detail.
More information about the webkit-dev