1.1 --- a/css-fonts/Fonts.html Fri Aug 16 16:34:03 2013 +0900 1.2 +++ b/css-fonts/Fonts.html Fri Aug 16 17:29:52 2013 +0900 1.3 @@ -322,15 +322,8 @@ 1.4 <li><a href="#font-face-loading"><span class=secno>4.8 </span>Font 1.5 loading guidelines</a> 1.6 1.7 - <li><a href="#same-origin-restriction"><span class=secno>4.9 1.8 - </span>Same-origin restriction for fonts</a> 1.9 - <ul class=toc> 1.10 - <li><a href="#default-same-origin-restriction"><span class=secno>4.9.1 1.11 - </span>Default same-origin restriction</a> 1.12 - 1.13 - <li><a href="#allowing-cross-origin-font-loading"><span 1.14 - class=secno>4.9.2 </span>Allowing cross-origin font loading</a> 1.15 - </ul> 1.16 + <li><a href="#font-fetching-requirements"><span class=secno>4.9 1.17 + </span>Font fetching requirements</a> 1.18 </ul> 1.19 1.20 <li><a href="#font-matching-algorithm"><span class=secno>5 </span>Font 1.21 @@ -3021,56 +3014,16 @@ 1.22 that closely match the metrics of the downloadable fonts to avoid large 1.23 page reflows where possible. 1.24 1.25 - <h3 id=same-origin-restriction><span class=secno>4.9 </span>Same-origin 1.26 - restriction for fonts</h3> 1.27 - 1.28 - <h4 id=default-same-origin-restriction><span class=secno>4.9.1 1.29 - </span>Default same-origin restriction</h4> 1.30 + <p><a id=same-origin-restriction> </a><a 1.31 + id=allowing-cross-origin-font-loading> </a> 1.32 + 1.33 + <h3 id=font-fetching-requirements><span class=secno>4.9 </span>Font 1.34 + fetching requirements</h3> 1.35 <!-- TPAC 2011 Resolution to require same-origin restriction for loading fonts: 1.36 http://lists.w3.org/Archives/Public/www-style/2011Nov/0711.html 1.37 http://www.w3.org/2011/10/31-webapps-minutes.html#item02 1.38 --> 1.39 1.40 - <p>User agents must implement a same-origin restriction when loading fonts 1.41 - via the <a href="#at-font-face-rule"><code>@font-face</code></a> 1.42 - mechanism. This restriction limits the loading of fonts for a given 1.43 - document to fonts loaded from the same origin. Fonts can only be loaded 1.44 - via the same host, port, and method combination as the containing 1.45 - document, using the <a 1.46 - href="http://www.w3.org/TR/html5/browsers.html#origin">origin matching 1.47 - algorithm</a> described in the <a href="#HTML5" 1.48 - rel=biblioentry>[HTML5]<!--{{!HTML5}}--></a> specification. The origin of 1.49 - the stylesheet containing <a 1.50 - href="#at-font-face-rule"><code>@font-face</code></a> rules is not used 1.51 - when deciding whether a font is same origin or not, only the origin of the 1.52 - containing document is used. The restriction applies to all font types. 1.53 - 1.54 - <p>Given a document located at http://example.com/page.html, fonts defined 1.55 - with ‘<a href="#descdef-src"><code class=property>src</code></a>’ 1.56 - definitions considered cross origin must not be loaded: 1.57 - 1.58 - <pre> 1.59 -/* same origin (i.e. domain, scheme, port match document) */ 1.60 -src: url(fonts/simple.woff); 1.61 -src: url(//fonts/simple.woff); 1.62 - 1.63 -/* cross origin, different scheme */ 1.64 -src: url(https://example.com/fonts/simple.woff); 1.65 - 1.66 -/* cross origin, different domain */ 1.67 -src: url(http://another.example.com/fonts/simple.woff); 1.68 -</pre> 1.69 - 1.70 - <h4 id=allowing-cross-origin-font-loading><span class=secno>4.9.2 1.71 - </span>Allowing cross-origin font loading</h4> 1.72 - 1.73 - <p>User agents must also implement the ability to relax this restriction 1.74 - using cross-site origin controls <a href="#CORS" 1.75 - rel=biblioentry>[CORS]<!--{{!CORS}}--></a> for fonts loaded via HTTP. 1.76 - Sites can explicitly allow cross-site downloading of font data using the 1.77 - <code>Access-Control-Allow-Origin</code> HTTP header. For other schemes, 1.78 - no explicit relaxation mechanism is defined or required. 1.79 - 1.80 <p>For font loads, user agents must use the <a 1.81 href="http://www.w3.org/TR/html5/infrastructure.html#cors-enabled-fetch">potentially 1.82 CORS-enabled fetch</a> method defined by the <a href="#HTML5" 1.83 @@ -3079,6 +3032,15 @@ 1.84 "Anonymous" mode, set the referrer source to the stylesheet's URL and set 1.85 the origin to the URL of the containing document. 1.86 1.87 + <p class=note>The implications of this for authors are that fonts will 1.88 + typically not be loaded cross-origin unless authors specifically takes 1.89 + steps to permit cross-origin loads. Sites can explicitly allow cross-site 1.90 + loading of font data using the <code>Access-Control-Allow-Origin</code> 1.91 + HTTP header. For other schemes, no explicit mechanism to allow 1.92 + cross-origin loading beyond what is permitted by the <a 1.93 + href="http://www.w3.org/TR/html5/infrastructure.html#cors-enabled-fetch">potentially 1.94 + CORS-enabled fetch</a> method is defined or required. 1.95 + 1.96 <h2 id=font-matching-algorithm><span class=secno>5 </span>Font Matching 1.97 Algorithm</h2> 1.98