Incremental Font Transfer 2024-07-09

[svgeesus]

The Privacy IG prefers groups to complete a self-review around the time of FPWD. See https://w3ctag.github.io/security-questionnaire/.

• name of spec to be reviewed: Incremental Font Transfer
• URL of spec: https://www.w3.org/TR/2024/WD-IFT-20240709/
• Does your document have an in-line Privacy Considerations section, ideally one separate from Security Considerations? If not, correct that before proceeding further.
  • Yes
• Do you need a reply by a particular date?
  • No
• Please point to the results of your own self-review (see https://w3ctag.github.io/security-questionnaire/ , https://w3c.github.io/fingerprinting-guidance/, https://tools.ietf.org/html/rfc6973)
  • Security self-review answers for 9 July 2024 WD of IFT w3c/IFT#194
• Where and how to file issues arising?
  • As individual issues on our GitHub, please
• Pointer to any explainer for the spec? https://github.com/w3c/IFT/blob/main/IFT-Explainer.md

Other comments:

This new draft addresses review feedback from the earlier proposals. There is no longer a Range Request vs Patch Subset choice, and there is no longer any special protocol required. The client no longer sends individual, possibly trackable requests to the server for a patch specific to the current user. Instead, it selects from pre-generated patches, which are the same for all users. Compared to the earlier proposals, the risks of fingerprinting have thus been reduced and there should also no longer be an impact on CDN caching.

[svgeesus]

@pes10k did you get a chance to review this specification?

[pes10k]

hi @svgeesus, apologies for the delay on this. I've reviewed the spec, and filed one needs-resolution issue. I'm going to close out this review request now. Thank you for your patience

w3c/IFT#207