make same-origin restriction required

John Daggett · John Daggett · commit b08ce48939d1 · 2011-04-07T23:08:49.000Z
diff --git a/css3-fonts/Overview.html b/css3-fonts/Overview.html
@@ -101,7 +101,7 @@
   }
   
   </style>
-  <link href="http://www.w3.org/StyleSheets/TR/W3C-WD.css" rel=stylesheet
+  <link href="http://www.w3.org/StyleSheets/TR/W3C-ED.css" rel=stylesheet
   type="text/css">
 
  <body>
@@ -111,15 +111,15 @@
 
    <h1>CSS Fonts Module Level 3</h1>
 
-   <h2 class="no-num no-toc" id=w3c-working-draft-24-march-2011>W3C Working
-    Draft 24 March 2011</h2>
+   <h2 class="no-num no-toc" id=editors-draft-7-april-2011>Editor's Draft 7
+    April 2011</h2>
 
    <dl id=authors>
-    <dt>This version:</dt>
-    <!-- <dd><a href="http://dev.w3.org/csswg/css3-fonts/">http://dev.w3.org/csswg/css3-fonts/</a> -->
+    <dt>This version:
 
     <dd><a
-     href="http://www.w3.org/TR/2011/WD-css3-fonts-20110324">http://www.w3.org/TR/2011/WD-css3-fonts-20110324</a>
+     href="http://dev.w3.org/csswg/css3-fonts/">http://dev.w3.org/csswg/css3-fonts/</a>
+     <!-- <dd><a href="http://www.w3.org/TR/2011/ED-css3-fonts-20110407">http://www.w3.org/TR/2011/ED-css3-fonts-20110407</a> -->
      
 
     <dt>Latest version:
@@ -134,6 +134,9 @@ <h2 class="no-num no-toc" id=w3c-working-draft-24-march-2011>W3C Working
 
     <dt>Previous version (CSS3 Fonts):
 
+    <dd><a
+     href="http://www.w3.org/TR/2011/WD-css3-fonts-20110324">http://www.w3.org/TR/2011/WD-css3-fonts-20110324</a>
+
     <dd><a
      href="http://www.w3.org/TR/2009/WD-css3-fonts-20090618">http://www.w3.org/TR/2009/WD-css3-fonts-20090618</a>
 
@@ -181,41 +184,35 @@ <h2 class="no-num no-toc" id=abstract>Abstract</h2>
   <h2 class="no-num no-toc" id=status>Status of this document</h2>
   <!--begin-status-->
 
-  <p><em>This section describes the status of this document at the time of
-   its publication. Other documents may supersede this document. A list of
-   current W3C publications and the latest revision of this technical report
-   can be found in the <a href="http://www.w3.org/TR/">W3C technical reports
-   index at http://www.w3.org/TR/.</a></em>
-
-  <p>Publication as a Working Draft does not imply endorsement by the W3C
-   Membership. This is a draft document and may be updated, replaced or
-   obsoleted by other documents at any time. It is inappropriate to cite this
-   document as other than work in progress.
+  <p>This is a public copy of the editors' draft. It is provided for
+   discussion only and may change at any moment. Its publication here does
+   not imply endorsement of its contents by W3C. Don't cite this document
+   other than as work in progress.
 
   <p>The (<a
    href="http://lists.w3.org/Archives/Public/www-style/">archived</a>) public
-   mailing list <a href="mailto:www-style@w3.org">www-style@w3.org</a> (see
-   <a href="http://www.w3.org/Mail/Request">instructions</a>) is preferred
-   for discussion of this specification. When sending e-mail, please put the
-   text “css3-fonts” in the subject, preferably like this:
+   mailing list <a
+   href="mailto:www-style@w3.org?Subject=%5Bcss3-fonts%5D%20PUT%20SUBJECT%20HERE">
+   www-style@w3.org</a> (see <a
+   href="http://www.w3.org/Mail/Request">instructions</a>) is preferred for
+   discussion of this specification. When sending e-mail, please put the text
+   “css3-fonts” in the subject, preferably like this:
    “[<!---->css3-fonts<!---->] <em>…summary of comment…</em>”
 
-  <p>This document was produced by the <a
-   href="http://www.w3.org/Style/CSS/members">CSS Working Group</a> (part of
-   the <a href="http://www.w3.org/Style/">Style Activity</a>).
+  <p>This document was produced by the <a href="/Style/CSS/members">CSS
+   Working Group</a> (part of the <a href="/Style/">Style Activity</a>).
 
   <p>This document was produced by a group operating under the <a
-   href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February
-   2004 W3C Patent Policy</a>. W3C maintains a <a
-   href="http://www.w3.org/2004/01/pp-impl/32061/status"
+   href="/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent
+   Policy</a>. W3C maintains a <a href="/2004/01/pp-impl/32061/status"
    rel=disclosure>public list of any patent disclosures</a> made in
    connection with the deliverables of the group; that page also includes
    instructions for disclosing a patent. An individual who has actual
    knowledge of a patent which the individual believes contains <a
-   href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential
+   href="/Consortium/Patent-Policy-20040205/#def-essential">Essential
    Claim(s)</a> must disclose the information in accordance with <a
-   href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section
-   6 of the W3C Patent Policy</a>.</p>
+   href="/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the
+   W3C Patent Policy</a>.</p>
   <!--end-status-->
 
   <h3 class="no-num no-toc" id=atrisk>Features at risk</h3>
@@ -288,6 +285,12 @@ <h2 class="no-num no-toc" id=contents>Table of contents</h2>
 
      <li><a href="#font-rend-desc"><span class=secno>4.6 </span>Font
       features: the font-variant and font-feature-settings descriptors</a>
+
+     <li><a href="#font-face-loading"><span class=secno>4.7 </span>Font
+      loading guidelines</a>
+
+     <li><a href="#same-origin-restriction"><span class=secno>4.8
+      </span>Same-origin restriction for fonts</a>
     </ul>
 
    <li><a href="#font-matching-algorithm"><span class=secno>5 </span>Font
@@ -353,13 +356,10 @@ <h2 class="no-num no-toc" id=contents>Table of contents</h2>
    <li><a href="#rendering-considerations"><span class=secno>7
     </span>Resolving font feature settings </a>
 
-   <li class=no-num><a href="#same-origin-restriction">Appendix A:
-    Same-origin restriction for fonts</a>
-
-   <li class=no-num><a href="#platform-props-to-css">Appendix B: Mapping
+   <li class=no-num><a href="#platform-props-to-css">Appendix A: Mapping
     platform font properties to CSS properties</a>
 
-   <li class=no-num><a href="#font-licensing">Appendix C: Font licensing
+   <li class=no-num><a href="#font-licensing">Appendix B: Font licensing
     issues</a>
 
    <li class=no-num><a href="#ch-ch-ch-changes">Changes</a>
@@ -2131,7 +2131,7 @@ <h3 id=src-desc><span class=secno>4.3 </span>Font reference: the <a
    format hints "truetype" and "opentype" must be considered as synonymous; a
    format hint of "opentype" does not imply that the font contains Postscript
    CFF style glyph data or that it contains OpenType layout information (see
-   Appendix B for more background on this).
+   Appendix A for more background on this).
 
   <p>When authors would prefer to use a locally available copy of a given
    font and download it if it's not, local() can be used. The locally
@@ -2625,6 +2625,92 @@ <h3 id=font-rend-desc><span class=secno>4.6 </span>Font features: the <a
    omitted. When multiple font feature descriptors or properties are used,
    the cumulative effect on text rendering is described below.
 
+  <h3 id=font-face-loading><span class=secno>4.7 </span>Font loading
+   guidelines</h3>
+
+  <p>The @font-face rule is designed to allow lazy loading of fonts, fonts
+   are only downloaded when needed for use within a document. A stylesheet
+   can include @font-face rules for a library of fonts of which only a select
+   set are used; user agents must only download those fonts that are referred
+   to within the style rules applicable to a given page. User agents that
+   download all fonts defined in @font-face rules without considering whether
+   those fonts are in fact used within a page are considered non-conformant.
+   In cases where a font might be downloaded in character fallback cases,
+   user agents may download a font if it's listed in a font list but is not
+   actually used for a given text run.
+
+  <pre>
+@font-face {
+  font-family: GeometricModern;
+  src: url(font.ttf);
+}
+
+p {
+  /* font will be downloaded for pages with p elements */
+  font-family: GeometricModern, sans-serif;
+}
+
+h2 {
+  /* font may be downloaded for pages with h2 elements, even if Futura is available locally */
+  font-family: Futura, GeometricModern, sans-serif;
+}
+</pre>
+
+  <p>In cases where textual content is loaded before downloadable fonts are
+   available, user agents may render text as it would be rendered if
+   downloadable font resources are not available or they may render text
+   transparently with fallback fonts to avoid a flash of text using a
+   fallback font. In cases where the font download fails user agents must
+   display text, simply leaving transparent text is considered non-conformant
+   behavior. Authors are advised to use fallback fonts in their font lists
+   that closely match the vertical metrics of the downloadable fonts to avoid
+   large page reflows where possible.
+
+  <h3 id=same-origin-restriction><span class=secno>4.8 </span>Same-origin
+   restriction for fonts</h3>
+
+  <p>User agents must implement a same-origin restriction when loading fonts
+   via the @font-face mechanism. This restriction limits the loading of fonts
+   for a given document to fonts loaded from the same origin. Fonts can only
+   be loaded via the same host, port, and method combination as the
+   containing document, using the <a
+   href="http://www.w3.org/TR/html5/origin-0.html">origin matching
+   algorithm</a> described in the <a href="#HTML5"
+   rel=biblioentry>[HTML5]<!--{{!HTML5}}--></a> specification. The origin of
+   the stylesheet containing @font-face rules is not used when deciding
+   whether a font is same origin or not, only the origin of the containing
+   document is used.
+
+  <p>Given a document located at http://example.com/page.html, fonts defined
+   with ‘<a href="#descdef-src"><code class=property>src</code></a>’
+   definitions considered cross origin must not be loaded:
+
+  <pre>
+/* same origin (i.e. domain, protocol, port match document) */
+src: url(fonts/simple.ttf);                     
+src: url(//fonts/simple.ttf);                     
+
+/* cross origin, different protocol */
+src: url(https://example.com/fonts/simple.ttf);              
+
+/* cross origin, different domain */
+src: url(http://another.example.com/fonts/simple.ttf); 
+</pre>
+
+  <p>User agents must also implement the ability to relax this restriction
+   using cross-site origin controls <a href="#CORS"
+   rel=biblioentry>[CORS]<!--{{!CORS}}--></a>. Sites can explicitly allow
+   cross-site downloading of font data using the
+   <code>Access-Control-Allow-Origin</code> HTTP header.
+
+  <p class=issue>Some implementers feel a same-origin restriction should be
+   the default for all new resource types, including fonts, while others feel
+   strongly that an opt-in strategy usuable for all resource types would be a
+   better mechanism and that the default should always be to allow
+   cross-origin linking for consistency with existing resource types (e.g.
+   script, images). As such, this subsection should be considered at risk for
+   removal if the consensus is to use an alternative mechanism.
+
   <h2 id=font-matching-algorithm><span class=secno>5 </span>Font matching
    algorithm</h2>
 
@@ -4569,56 +4655,7 @@ <h2 id=rendering-considerations><span class=secno>7 </span>Resolving font
   <!-- simple example of using both font-variant subproperty and descriptor value -->
   <!-- example showing conflicting values and how they are resolved -->
 
-  <h2 class=no-num id=same-origin-restriction>Appendix A: Same-origin
-   restriction for fonts</h2>
-
-  <p><em>This appendix is normative.</em>
-
-  <p>Some user agents implement a same-origin restriction when loading font
-   resources. This section defines the meaning of that restriction.
-
-  <p>A same-origin restriction limits the loading of fonts for a given
-   document to fonts loaded from the same origin. This means that fonts can
-   only be loaded via the same host, port, and method combination as the
-   containing document, using the same origin matching algorithm described in
-   the <a href="#HTML5" rel=biblioentry>[HTML5]<!--{{!HTML5}}--></a>
-   specification. The origin of the stylesheet containing @font-face rules is
-   not used when deciding whether a font is same origin or not, only the
-   origin of the containing document is used.
-
-  <p>Given a document located at http://example.com/page.html, fonts defined
-   with ‘<a href="#descdef-src"><code class=property>src</code></a>’
-   definitions considered cross origin must not be loaded:
-
-  <pre>
-/* same origin (i.e. domain, protocol, port match document) */
-src: url(fonts/simple.ttf);                     
-src: url(//fonts/simple.ttf);                     
-
-/* cross origin, different protocol */
-src: url(https://example.com/fonts/simple.ttf);              
-
-/* cross origin, different domain */
-src: url(http://another.example.com/fonts/simple.ttf); 
-</pre>
-
-  <p>If a user agent implements a same-origin restriction for fonts loaded
-   via @font-face rules it must implement that restriction for all font
-   types, rather than for a subset of possible types. It must also implement
-   the ability to relax this restriction using cross-site origin controls <a
-   href="#CORS" rel=biblioentry>[CORS]<!--{{!CORS}}--></a>. Sites can
-   explicitly allow cross-site downloading of font data using the
-   <code>Access-Control-Allow-Origin</code> HTTP header.
-
-  <p class=issue>Some implementers feel a same-origin restriction should be
-   the default for all new resource types while others feel strongly that an
-   opt-in strategy usuable for all resource types would be a better mechanism
-   and that the default should always be to allow cross-origin linking for
-   consistency with existing resource types (e.g. script, images). As such,
-   this section should be considered at risk for removal if the consensus is
-   to use an alternative mechanism.
-
-  <h2 class=no-num id=platform-props-to-css>Appendix B: Mapping platform font
+  <h2 class=no-num id=platform-props-to-css>Appendix A: Mapping platform font
    properties to CSS properties</h2>
 
   <p><em>This appendix is included as background for some of the problems and
@@ -4692,7 +4729,7 @@ <h2 class=no-num id=platform-props-to-css>Appendix B: Mapping platform font
   <p class=issue>Need to define normatively how WWS names are handled across
    platforms.
 
-  <h2 class=no-num id=font-licensing>Appendix C: Font licensing issues</h2>
+  <h2 class=no-num id=font-licensing>Appendix B: Font licensing issues</h2>
 
   <p><em>This appendix is informative only.</em>
 
@@ -4947,9 +4984,9 @@ <h3 class=no-num id=other-references>Other References</h3>
    <dt id=OPENTYPE-FONT-GUIDE>[OPENTYPE-FONT-GUIDE]
 
    <dd><a
-    href="http://www.fontfont.com/opentype/FF_OT_UserGuide_v2.pdf"><cite>OpenType
+    href="https://www.fontfont.com/staticcontent/downloads/FF_OT_UserGuide_v2.pdf"><cite>OpenType
     User Guide.</cite></a> FontShop International. URL: <a
-    href="http://www.fontfont.com/opentype/FF_OT_UserGuide_v2.pdf">http://www.fontfont.com/opentype/FF_OT_UserGuide_v2.pdf</a>
+    href="https://www.fontfont.com/staticcontent/downloads/FF_OT_UserGuide_v2.pdf">https://www.fontfont.com/staticcontent/downloads/FF_OT_UserGuide_v2.pdf</a>
     </dd>
    <!---->
 
