Mercurial > drafts / file diff

     1.1 --- a/css-fonts/Fonts.html	Fri Aug 16 16:34:03 2013 +0900
     1.2 +++ b/css-fonts/Fonts.html	Fri Aug 16 17:29:52 2013 +0900
     1.3 @@ -322,15 +322,8 @@
     1.4       <li><a href="#font-face-loading"><span class=secno>4.8 </span>Font
     1.5        loading guidelines</a>
     1.6  
     1.7 -     <li><a href="#same-origin-restriction"><span class=secno>4.9
     1.8 -      </span>Same-origin restriction for fonts</a>
     1.9 -      <ul class=toc>
    1.10 -       <li><a href="#default-same-origin-restriction"><span class=secno>4.9.1
    1.11 -        </span>Default same-origin restriction</a>
    1.12 -
    1.13 -       <li><a href="#allowing-cross-origin-font-loading"><span
    1.14 -        class=secno>4.9.2 </span>Allowing cross-origin font loading</a>
    1.15 -      </ul>
    1.16 +     <li><a href="#font-fetching-requirements"><span class=secno>4.9
    1.17 +      </span>Font fetching requirements</a>
    1.18      </ul>
    1.19  
    1.20     <li><a href="#font-matching-algorithm"><span class=secno>5 </span>Font
    1.21 @@ -3021,56 +3014,16 @@
    1.22     that closely match the metrics of the downloadable fonts to avoid large
    1.23     page reflows where possible.
    1.24  
    1.25 -  <h3 id=same-origin-restriction><span class=secno>4.9 </span>Same-origin
    1.26 -   restriction for fonts</h3>
    1.27 -
    1.28 -  <h4 id=default-same-origin-restriction><span class=secno>4.9.1
    1.29 -   </span>Default same-origin restriction</h4>
    1.30 +  <p><a id=same-origin-restriction> </a><a
    1.31 +   id=allowing-cross-origin-font-loading> </a>
    1.32 +
    1.33 +  <h3 id=font-fetching-requirements><span class=secno>4.9 </span>Font
    1.34 +   fetching requirements</h3>
    1.35    <!-- TPAC 2011 Resolution to require same-origin restriction for loading fonts:
    1.36    http://lists.w3.org/Archives/Public/www-style/2011Nov/0711.html
    1.37    http://www.w3.org/2011/10/31-webapps-minutes.html#item02
    1.38  -->
    1.39  
    1.40 -  <p>User agents must implement a same-origin restriction when loading fonts
    1.41 -   via the <a href="#at-font-face-rule"><code>@font-face</code></a>
    1.42 -   mechanism. This restriction limits the loading of fonts for a given
    1.43 -   document to fonts loaded from the same origin. Fonts can only be loaded
    1.44 -   via the same host, port, and method combination as the containing
    1.45 -   document, using the <a
    1.46 -   href="http://www.w3.org/TR/html5/browsers.html#origin">origin matching
    1.47 -   algorithm</a> described in the <a href="#HTML5"
    1.48 -   rel=biblioentry>[HTML5]<!--{{!HTML5}}--></a> specification. The origin of
    1.49 -   the stylesheet containing <a
    1.50 -   href="#at-font-face-rule"><code>@font-face</code></a> rules is not used
    1.51 -   when deciding whether a font is same origin or not, only the origin of the
    1.52 -   containing document is used. The restriction applies to all font types.
    1.53 -
    1.54 -  <p>Given a document located at http://example.com/page.html, fonts defined
    1.55 -   with ‘<a href="#descdef-src"><code class=property>src</code></a>’
    1.56 -   definitions considered cross origin must not be loaded:
    1.57 -
    1.58 -  <pre>
    1.59 -/* same origin (i.e. domain, scheme, port match document) */
    1.60 -src: url(fonts/simple.woff);
    1.61 -src: url(//fonts/simple.woff);
    1.62 -
    1.63 -/* cross origin, different scheme */
    1.64 -src: url(https://example.com/fonts/simple.woff);
    1.65 -
    1.66 -/* cross origin, different domain */
    1.67 -src: url(http://another.example.com/fonts/simple.woff);
    1.68 -</pre>
    1.69 -
    1.70 -  <h4 id=allowing-cross-origin-font-loading><span class=secno>4.9.2
    1.71 -   </span>Allowing cross-origin font loading</h4>
    1.72 -
    1.73 -  <p>User agents must also implement the ability to relax this restriction
    1.74 -   using cross-site origin controls <a href="#CORS"
    1.75 -   rel=biblioentry>[CORS]<!--{{!CORS}}--></a> for fonts loaded via HTTP.
    1.76 -   Sites can explicitly allow cross-site downloading of font data using the
    1.77 -   <code>Access-Control-Allow-Origin</code> HTTP header. For other schemes,
    1.78 -   no explicit relaxation mechanism is defined or required.
    1.79 -
    1.80    <p>For font loads, user agents must use the <a
    1.81     href="http://www.w3.org/TR/html5/infrastructure.html#cors-enabled-fetch">potentially
    1.82     CORS-enabled fetch</a> method defined by the <a href="#HTML5"
    1.83 @@ -3079,6 +3032,15 @@
    1.84     "Anonymous" mode, set the referrer source to the stylesheet's URL and set
    1.85     the origin to the URL of the containing document.
    1.86  
    1.87 +  <p class=note>The implications of this for authors are that fonts will
    1.88 +   typically not be loaded cross-origin unless authors specifically takes
    1.89 +   steps to permit cross-origin loads. Sites can explicitly allow cross-site
    1.90 +   loading of font data using the <code>Access-Control-Allow-Origin</code>
    1.91 +   HTTP header. For other schemes, no explicit mechanism to allow
    1.92 +   cross-origin loading beyond what is permitted by the <a
    1.93 +   href="http://www.w3.org/TR/html5/infrastructure.html#cors-enabled-fetch">potentially
    1.94 +   CORS-enabled fetch</a> method is defined or required.
    1.95 +
    1.96    <h2 id=font-matching-algorithm><span class=secno>5 </span>Font Matching
    1.97     Algorithm</h2>
    1.98