Anne van Kesteren

WOFF and Cross-Origin Font Loading

Recently Microsoft, Mozilla, and Opera jointly submitted the WOFF File Format. I do not really see how this format is solving any problem. In fact, it seems to complicate the font format space. I.e. at the very least it requires more QA and developer time of the people implementing font support in browsers. Compression can be supported for OpenType and TrueType fonts as well and the limited protection WOFF offers will probably be gone before the specification is final by Web-based tools and likely even native implementations in major operating systems. Irrespective of that it does seem to have the support of font foundries. FUCK THE FOUNDRIES is a viewpoint I personally sympathize with, but I can understand that others feel differently. I suppose I am mostly just surprised that shifting bits around a little makes people more comfortable.

My main problem is however not with the format, it is with the proposed same-origin restriction on font loading. So far we only applied the same-origin restriction for cases where not doing so would cause information leakage (i.e. privacy problems). You can load an image cross-origin for instance but you cannot extract data from a cross-origin image using the canvas element and associated API (you can with a same-origin image). I do not think that changing this policy for fonts is a good idea. I can certainly understand the desire to block cross-origin loads and the desire to make that easier than by performing Referer / Origin header checking, but I think that any such solution should also work for cross-origin image loads, cross-origin video loads, et cetera. It could be as simple as a From-Origin response header that when set to the value "same" should only allow the resource to be used same-origin.

See also discussion on Elsewhere:

While super obvious I should mention that the above does not necessarily reflect the opinion of my employer.


  1. Quality type's not going to come out of multitudes of free ones. Some quality free ones do exist, but they're extremely rare. Typographers aren't going to destroy their livelihoods so the Web can have all their fonts for free. These aren't multi million dollar executives making their money off the talent of others. They're extremely talented people whose job is to create type, and they get paid for it by selling it. If they were shunning the technology then I'd agree wholeheartedly with Mr. Pilgrim; instead they're actively trying to work in the open to make it happen, and something has to be said for the foundries involved's willingness.

    With all that said I personally don't see how the format is going to really help them either as the TrueType and OpenType formats can already do everything which has been "added" to WOFF, but if they're all for it I don't see any harm in supporting that format in addition to plain ol' TrueType and OpenType as long as people will be able to use quality type on the Web.

    The same origin restriction is just plain stupid as restricting the file can be handled with a simple server configuration like thousands already do with images like you say already. I just wish this focus was put more on standardizing font rendering as rendering of fonts on Windows is plain atrocious (especially with OpenType) or standardizing downloading of only the parts of fonts which are needed to display the website so linking a font with a massive amount of glyphs is feasible.

    Posted by Dustin Wilson at

  2. Dustin: Indeed. Similarly, there'll never be quality free Web browsers.

    Posted by Ian Hickson at

  3. Dustin: (just like now that music is no longer DRMed, iTunes has had to stop selling professionally produced music)

    Posted by Ian Hickson at