Incremental Font Transfer

1. Introduction

This section is not normative.

Incremental Font Transfer (IFT) is a collection of technologies to improve the latency of remote fonts (or "web fonts") on the web. Without this technology, a browser needs to download every last byte of a font before it can render any characters using that font. IFT allows the browser to download only some of the bytes in the file, thereby decreasing the perceived latency between the time when a browser realizes it needs a font and when the necessary text can be rendered with that font.

The success of WebFonts is unevenly distributed. This specification allows WebFonts to be used where slow networks, very large fonts, or complex subsetting requirements currently preclude their use. For example, even using WOFF 2 [WOFF2], fonts for CJK languages are too large to be practical.

There are two different methods which can be used to incrementally transfer fonts.

1.1. Patch Subset

In the the first method, Patch Subset a server generates binary patches which a client applies to a subset of the font in order to extend the coverage of that subset. The server is stateless, it does not maintain any session data for clients between requests. Thus when a client requests the generation of a patch from the server it has to fully describe the current subset of the font that it has in a way which allows the server to recreate it.

Generic binary patch algorithms are used which do not need to be aware of the specifics of the font format. Typically a server will produce a patch by generating two font subsets: one which matches what the client currently has and one which matches the extended subset the client desires. A binary patch is then produced between the two subsets.

1.2. Range Request

The second method, Range Request, has no server-side requirements other than the server should be able to respond to byte-based range requests. The browser makes range requests to the server for the specific bytes in the font file that it needs. In order to know which bytes are necessary, the browser makes one initial special request for the beginning of the file to obtain all required font tables, and then calculates glyph coverage and required byte ranges using font character-to-glyph mapping and glyph substitution / layout tables.

In order for the range request method to be as effective as possible, the font file itself should be internally arranged in a particular way, in order to decrease the number of requests the browser needs to make. Therefore, it is expected that web developers wishing to use the range request method will use font files that have had their contents already arranged optimally.

This method was modelled after video playback on the web, where seeking in a video causes the browser to send a range request to the server.

1.3. Technical Motivation: Evaluation Report

See the Progressive Font Enrichment: Evaluation Report [PFE-report] for the investigation which led to this specification.

The evaluation report found that patch subset was generally more efficient in terms of overall performance and transferred bytes than range request. However, Range Request is simpler to deploy for many uses cases while still providing material improvments to loading performance for large fonts.

1.4. Performance Considerations and the use of Incremental Font Transfer

Using incremental transfer may not always be beneficial, depending on the characteristics of the font and the content being rendered. This section provides non-normative guidance to help decide:

1. When incremental transfer should be utilized.

2. When used, which of the two methods should be utilized.

Incrementally loading a font has a fundemental performance tradeoff versus loading the whole font. Simplistically, under incremental transfer less bytes may be transferred at the potential cost of increasing the total number of network requests being made, and/or increased request processing latency. In general incremental font transfer will be beneficial where the reduction in latency from sending less bytes outweighs additional latency introduced by the incremental transfer method.

The first factor to consider is the language of the content being rendered. The evaluation report contains the results of simulating incremental font transfer across three categories of languages (Progressive Font Enrichment: Evaluation Report § langtype). See it’s conclusions Progressive Font Enrichment: Evaluation Report § conclusions for a discussion of the anticipated performance of incremental font transfer across the language categories.

Next, how much of the font is expected to be needed? If it’s expected that most of the font will be needed to render the content then incremental font transfer is unlikely to be beneficial. In many cases however only part of a font is expected to be needed. For example:

• If the font contains support for several languages but a user is expected to only render content in a subset of those languages.

• If the content being rendered uses a small subset of the total characters in a font. This is often the case for Chinese, Japanese, Korean, Emoji, and Icon fonts.

• Only a small amount of text is being rendered. For example a font that is only used for a headline.

An alternative to incremental transfer is to break a font into distinct subsets (typically by script) and use the unicode range feature of @font-face to load only the subsets needed. However, this can break rendering Progressive Font Enrichment: Evaluation Report § fail-subset if there are layout rules between characters in different subsets. Incremental font transfer does not suffer from this issue as it maintains the original font and all it’s layout rules.

1.4.1. Reducing the Number of Network Requests

As discussed in the previous section the most basic implementation of incremental font transfer will tend to increase the total number of requests made vs traditional font loading. Since each request will require at least one round trip time, performance can be negatively impacted if too many requests are made. Both range request and patch subset allow for more codepoints then needed to be requested. Intelligent use of this feature by an implementation can help reduce the total number of requests being made. The evaluation report explored this by testing the performance of a basic character frequency based codepoint prediction scheme and found it improved overall performance.

Performant implementations should incorporate a similar mechanism which can select codepoints which are likely to be needed in the future and preemptively load them. This will improve performance by reducing the need to make additional requests for missing codepoints. The set of codepoints the client has and the set they are requesting can be used in conjuction with codepoint occurence frequency and codepoint usage in languages/scripts to make predictions on which additional codepoints are likely to be needed.

Under range request the prediction mechanism will need to be part of the client implementation. In patch subset either the client and/or server implementation can include a prediction mechanism. A side benefit to a client side prediction mechanism is providing some obfuscation of the specific codepoints required by the client. This is further discussed in Content inference from character set.

1.4.2. Deciding between Patch Subset and Range Request

From a purely performance perspective patch subset is more performant than range request. There are three main factors for this:

1. Range request requires an extra round trip on the very first load of a font to fetch the non-outline font data.

2. Patch subset is able to incrementally transfer all tables in the font, while range request is limited to only incrementally transferring glyph outline tables. In many fonts the majority of data is in the glyph outlines, however there are fonts that have significant amounts of data in the non outline tables.

3. Patch subset is able to compress incremental font data against previously loaded data from that font. This leads to better compression overall compared to range request.

See the evaluation report for a quantative assessment of the difference in performance of patch subset versus range request Progressive Font Enrichment: Evaluation Report § analysis.

The downside of using patch subset is that it requires server side processing to produce the patches, while range request can work on any standard HTTP server that supports range requests:

• This means that range request can be deployed easier, and in places such as CDN’s where the content owner may not have control over the serving stack.

• The server side processing required by patch subset will lead to increased processing costs (eg. CPU, RAM usage) per request vs range request.

2. Opt-In Mechanism

This section is general to both IFT methods.

Webpage’s can choose to opt-in to either patch subset or range request incremental transfer for a font via the use of a CSS font tech keyword (CSS Fonts 4 § 11.1 Font tech) inside the ''@font-face'' block.

There are three tech keywords available:

• incremental-patch: Load the font incrementally using the patch subset method.

• incremental-range: Load the font incrementally using the range request method.

• incremental-auto: Load the font incrementally. The particular method to use is determined by Method Negotiation.

@font-face {
    font-family: "MyCoolWebFont";
    src: url("MyCoolWebFont.otf") tech(incremental-patch);
}

Note: Each individual @font-face block may or may not opt-in to IFT. This is due to the variety of ways fonts are used on web pages. Authors have control over which fonts they want to use this technology with, and which they do not.

Note: the use of incremental-auto may incur a CORS preflight request for the initial request of method negotiation, as the initial request sets a custom header.

Note: the IFT tech keywords can be used in conjuction with other font tech specifiers to perform font feature selection. For example a @font-face could include two urls one with tech(incremental-patch, color-COLRv1) and the other with tech(incremental-patch, color-COLRv0). The client would initiate an incremental patch subset transfer to one of the URLs depending on which version of COLR is supported.

3. IFT Method Selection

This section is general to both IFT methods.

The client should have support for both patch subset and range request IFT. The client selects the IFT method to utilize for a font load using the following procedure:

• If the content has specified which method to use, such as via the incremental-patch or incremental-range font tech keyword (see: opt-in mechanism), then that method should be used if the client supports it. If the specified method is not supported then the client should fallback to to loading the font non-incrementally.

• Otherwise if the client does not know which particular IFT method(s) that the server hosting the font supports, such as when the incremental-auto font tech keyword is used, then method negotiation should be used to determine the method.

The most recently specified method by the content takes precedence. For example if on a site the first page specifies to use the patch subset method for a font URL, but the second page specifies range request for the same font URL then the second page should load the font using range request. Such cases will require the client to reset any previously stored state for that URL and start fresh with the new method. In the case that incremental-auto is encountered where previously a specific method was specified then the client can choose to continue using the previously selected method.

3.1. IFT Method Negotiation

When the particular IFT method(s) that are supported by a server are not known, the client must determine which method to use. Different clients may support different IFT methods, and different servers may support different IFT methods, so a negotation occurs as such:

1. The browser makes the first request to the server using the GET HTTP method (HTTP Semantics § name-get). If the client prefers the patch-subset method, it sends the relevant patch request header. If the client prefers the range-request method, it does not send the header.

2. If the server receives the patch request header and wishes to honor it, the server must reply according to § 4.5 Server: Responding to a PatchRequest. Otherwise, the server must reply with the HTTP Semantics § range.requests Accept-Ranges header, if it supports HTTP Range Requests.

3. If the client receives a font with a table identified by the 4-byte tag "IFTP", it commences using the patch-subset method. Otherwise, if the client receives the Accept-Ranges: bytes header, it commences using the range-request method. Otherwise, the whole font file is downloaded, and the current non-incremental loading behavior is used.

3.2. IFT Method Fallback

This section is not normative.

This summarizes behaviors that result from the above method selection and negotiation sections.

If the content specifies the range request method:

If the content specifies the patch subset method:

If the content does not specify a specific method:

3.3. Offline Usage

Special consideration must be taken when saving a page for offline usage that uses an incrementally transferred font since the saved page won’t be able to increment the font if content changes (eg. due to javascript execution). In these cases the page saving mechanism should download the full font by making a normal GET request without the patch request header to the font url. Additionally when URL’s are rewritten to point to the saved full font any of the incremental tech specifiers should be removed.

4. Patch Based Incremental Transfer

4.1. Font Subset

A font subset is a modified version of a font file that contains only the data needed to render a subset of:

• the codepoints,

• opentype layout features,

• and design-variation space.

supported by the original font. When a subsetted font is used to render text using any combination of the subset codepoints, layout features, or design-variation space it must render identically to the original font. This includes rendering with the use of any optional typographic features that a renderer may choose to use from the original font, such as hinting instructions.

A font subset definition describes the minimum data (codepoints, layout features, variation axis space) that a font subset must possess.

4.2. Data Types

This section lists all of the data types that are used to form the request and response messages sent between the client and server.

4.2.1. Encoding

All data types defined here are encoded into a byte representation for transport using CBOR (Concise Binary Object Representation) [RFC8949]. More information on how each data types should be encoded by CBOR are given in the definition of those data types.

4.2.2. Primitives

4.2.3. SparseBitSet

A data structure which compactly stores a set of distinct unsigned integers. The set is represented as a tree where each node has a fixed number of children that recursively sub-divides an interval into equal partitions. A tree of height H with branching factor B can store set membership for integers in the interval [0 to B^H-1] inclusive. The tree is encoded into a ByteString for transport.

To construct the tree T which encodes set S first select the branching factor B (how many children each node has). B can be 4, 8, 16, or 32.

Note: the encoder can use any of the possible branching factors, but it is recommended to use 4 as that has been shown to give the smallest encodings for most sets typically encountered.

Next, determine the height, H, of the tree:

H = ceil(log_B(max(S) + 1))

If S is an empty set then H = 1.

Next create a tree of height H where all non-leaf nodes have B children. Each node in the tree has a single value composed of B bits. Given a node p which has B children: c₀ ... c_{B - 1} and is in a tree, T, of height H, then:

• D(n) is depth of node n: the number of edges between the root node and n.

• Start(c_i) is the start (inclusive) of the interval covered by c_i :
  Start(c_i) = Start(p) + i * B^{H - D(c_i)}

• End(c_i) is the end (exclusive) of the interval covered by c_i :
  End(c_i) = Start(p) + (i + 1) * B^{H - D(c_i)}

• Start(root node) = 0

• The value of node p is a string of B bits. If its bits are numbered from 0 (least significant) to B - 1 (most significant) then bit i will be 1 if the set S contains at least one member in the interval [Start(c_i), End(c_i)), otherwise bit i will be 0.

• If for node p, End(p) - Start(p) = B, then p will have no children.

• An empty set is considered to have no nodes.

The tree is encoded into a bit string. When appending multiple-bit values to the bit string, bits are added in order from least significant bit to most significant bit.

First append 2 bits which encode the branching factor:

Then append the value H - 1 as a 5 bit unsigned integer. Next append a single 0 bit, which is reserved for future use.

Next the nodes are encoded into the bit string by traversing the nodes of the T in level order and appending the value for each non-zero node to the bit string. If all of the set values covered by a node’s interval are present within set S, then that node can instead be encoded in the bit string as B bits all set to zero. All children of that node must not be encoded.

Lastly the bit string is converted into a ByteString by converting each consecutive group of 8 bits into the next byte of the string. If the number of bits in the bit string is not a multiple of 8, zero bits are appended to the next multiple of 8. The bit with the smallest index in the bit string is the least significant bit in the byte and the bit with the largest index is the most significant bit.

BitString:
|- header |- lvl 0 |---- level 1 ----|------- level 2 -----------|
|         |   n0   |   n1       n2   |   n3       n4       n5    |
[ 01010000 10000100 10001000 10000000 00100000 01000000 00010000 ]

Which then becomes the ByteString:
[
  0b00001010,
  0b00100001,
  0b00010001,
  0b00000001,
  0b00000100,
  0b00000010,
  0b00001000
]

BitString:
|- header- |
|          |
[ 00000000 ]

Which then becomes the ByteString:
[
  0b00000000,
]

BitString:
|- header | l0 |- lvl 1 -| l2  |
|         | n0 | n1 | n2 | n3  |
[ 10010000 1100 0000 1000 1100 ]

ByteString:
[
  0b00001001,
  0b00000011,
  0b00110001
]

4.2.4. IntegerList

A data structure which compactly represents a list of non-negative integers from 0 to 2³¹-1. The list is encoded into a ByteString for transport.

There are three steps of encoding/compression: first delta, second zig-zag, and finally UIntBase128. The final ByteString result is simply the concatenation of the individual UIntBase128 encoded bytes.

IntegerList encoding must reject an input list which contains values not in the range 0 to 2³¹-1. Likewise if decoding an IntegerList results in values which are not in the range 0 to 2³¹-1 the list is invalid and must be rejected.

4.2.4.1. Delta Encoding

Delta encoding converts a list of integers to a list of deltas between them.

A list L of n integers L_i0..n-1 is converted into a list of N integers D_i0..n-1 as follows:

• D₀ = L₀

• D_{i = 1..n-1} = L_i - L_i-1

This has the effect of reducing the magnitude of the values, which reduces the number of bytes required in the UIntBase128 encoding, below.

// Note: unsorted
int_list = [23, 43, 12, 3, 67, 68, 69, 0]
delta_list = [23, 20, -31, -9, 64, 1, 1, -69]

4.2.4.2. Zig-Zag Encoding

Zig-Zag encoding reversibly converts signed integers to unsigned integers, using the same number of bits. The entire range of values is supported. This step is required, as the § 4.2.4.3 UIntBase128 Encoding step works on unsigned integers only. The encoding maps positive integer values to even positive integers and negative integer values to odd positive integers. Psuedo code:

encode(n):
  if n >= 0:
    return n * 2
  else:
    return (n * -2) - 1

decode(n) {
  if n & 1:
    return -((n + 1) / 2)
  else:
    return n / 2

delta_list = [23, 20, -31, -9, 64, 1, 1, -69]
zig_zag_encoded_list = [46, 40, 61, 17, 128, 2, 2, 137]

4.2.4.3. UIntBase128 Encoding

UIntBase128 is a variable length encoding of unsigned integers, suitable for values up to 2³²-1. A UIntBase128 encoded number is a sequence of bytes for which the most significant bit is set for all but the last byte, and clear for the last byte. The number itself is base 128 encoded in the lower 7 bits of each byte. Thus, a decoding procedure for a UIntBase128 is: start with value = 0. Consume a byte, setting value = old value times 128 + (byte bitwise-and 127). Repeat last step until the most significant bit of byte is false.

UIntBase128 encoding format allows a possibility of sub-optimal encoding, where e.g. the same numerical value can be represented with variable number of bytes (utilizing leading zeros). For example, the value 63 could be encoded as either one byte 0x3F or two (or more) bytes: [0x80, 0x3f]. An encoder must not allow this to happen and must produce shortest possible encoding. A decoder must reject the response/request if it encounters a UIntBase128-encoded value with leading zeros (a value that starts with the byte 0x80), if UIntBase128-encoded sequence is longer than 5 bytes, or if a UIntBase128-encoded value exceeds 2³²-1. Pseudo-code:

bool ReadUIntBase128( data, *result ) {
  UInt32 accum = 0;

  for (i = 0; i < 5; i++) {
    UInt8 data_byte = data.getNextUInt8();

    // No leading 0’s
    if (i == 0 && data_byte == 0x80) return false;

    // If any of top 7 bits are set then << 7 would overflow
    if (accum & 0xFE000000) return false;

    accum = (accum << 7) | (data_byte & 0x7F);

    // Spin until most significant bit of data byte is false
    if ((data_byte & 0x80) == 0) {
      *result = accum;
      return true;
    }
  }
  // UIntBase128 sequence exceeds 5 bytes
  return false;
}

Value       Output Bytes
0           00000000
1           00000001
2           00000010
3           00000011
127         01111111
128         10000001 00000000
255         10000001 01111111
16256       11111111 00000000
2080768     11111111 10000000 00000000
266338304   11111111 10000000 10000000 00000000
4294967295  10001111 11111111 11111111 11111111 01111111

zig_zag_encoded_list = [46, 40, 61, 17, 128, 2, 2, 137]
bytes = [2E 28 3D 11 81 00 02 02 81 09]
         └┘ └┘ └┘ └┘ └───┘ └┘ └┘ └───┘

4.2.5. SortedIntegerList

A data structure which compactly represents a sorted list of ascending non-negative integers (0 to 2³²-1). The list is encoded into a ByteString for transport.

This is a variation on IntegerList with better compression. Sorted lists only use two steps of encoding/compression: first deltas and then UIntBase128. The § 4.2.4.2 Zig-Zag Encoding step is skipped. This allows twice the range in UIntBase128, so that single bytes may be used more often.

SortedIntegerList encoding must reject an input list which contains values not in the range 0 to 2³²-1. Likewise if decoding an IntegerList results in values which are not in the range 0 to 2³²-1 the list is invalid and must be rejected.

4.2.6. RangeList

A RangeList encodes a set of non-negative integers (0 to 2³²-1). The set is encoded as a list of disjoint intervals. Each interval is represented by two integers, a start (inclusive) and end (inclusive).

A RangeList is a list of n pairs [min_i0..n-1, max_i0..n-1]. The list must be non-decreasing, i.e. min_i=1..n-1 >= max_i-1.

To encode this list, we convert it to a list L of 2n integers, where L_2i = min_i and L_2i+1 = max_i for i = 0..n-1.

L is a sorted list of integers, so a SortedIntegerList is used to encode it as a ByteString.

range_list = [3, 10], [13, 268]
int_list = [3, 10, 13, 268]
delta_list = [3, 7, 3, 255]
bytes = [03 07 03 81 7F]

4.2.7. FeatureTagSet

A FeatureTagSet encodes a set of zero or more opentype layout feature tags. Each feature tag is mapped to an integer value and then the set of mapped integers are encoded in a SortedIntegerList. Feature tags are mapped to integers as follows:

• If the tag is found in Appendix A: Default Feature Tags and Encoding IDs:

  • If the "Encoded As" column corresponding to the tag is "default" then the tag is skipped and not encoded.

  • Else, the tag is mapped to the integer value in the "Encoded As" column.

• Otherwise: the tag is converted to an integer by treating the tag’s 4 byte string as a 4 byte little endian integer.

The final encoding is produced by sorting the mapped integers (exlcuding tags which are skipped) into ascending order and then encoding the sorted list as a SortedIntegerList.

When decoding a FeatureTagSet the integer values are mapped back to the original tags by reversing the above mapping rules. Additionally all default features in Appendix A: Default Feature Tags and Encoding IDs must be added to the decoded set.

4.2.8. AxisSpace

Stores a set of intervals on one or more open type variation axes [opentype-variations]. Encoded as a CBOR map (major type 5). The key in each pair is an axis tag. It is encoded as a ByteString containing exactly 4 ASCII characters. The value in each pair is an ArrayOf<AxisInterval>. The list of intervals for a each axis tag must be disjoint.

4.2.9. Objects

Objects are data structures comprised of key and value pairs. Objects are encoded via CBOR as maps (major type 5). Each key and value pair is encoded as a single map entry. Keys are always unsigned integers and are encoded using major type 0. Values are encoded using the encoding specified by the type of the value.

All fields in an object are optional and do not need to have an associated value. Conversely when decoding and object fields may be present which are not specified in the schema. The decoder must ignore without error any key and value pairs where the key is not recognized.

There are several types of object used, each type is defined by a schema in § 4.3 Object Schemas. The schema for a type specifies for each field:

• A human readable name for the field. For reference only, not used in the encoding.

• A unsigned integer id for the field. This is used as the key in the encoding.

• The type of the value stored in this field. Can be any of the types defined in § 4.2 Data Types including object types.

4.3. Object Schemas

4.3.1. CompressedSet

Encodes a set of unsigned integers. The set is not ordered and does not allow duplicates. Members of the set are encoded into either a SparseBitSet or a RangeList. To obtain the final set the members of sparse_bit_set and the list of ranges in range_deltas are unioned together.

4.3.2. AxisInterval

AxisInterval defines an interval (from start to end inclusive) on some variable axis in a font.

For an AxisInterval object to be well formed:

• start must be set.

• end is optional, if set it must be greater than start. If end is not set then this interval is a single point, start.

4.3.3. PatchRequest

For a PatchRequest object to be well formed:

• If either of indices_have or indices_needed is set to a non-empty set then ordering_checksum must be set.

• If codepoints_have or indices_have is set to a non-empty set then original_font_checksum and base_checksum must be set.

4.3.4. ClientState

4.4. Client

4.4.1. Extending the Font Subset

This algorithm is used by the client to extends its font subset to cover additional codepoints, features, and/or design-variation space.

Extend the font subset

The inputs to this algorithm are:

• font URL: a URL where the font to be extended is located.

• fragment identifier (optional): if the font at the font url is a font collection, the fragment identifier (The "font" Top-Level Media Type § section-4.2) identifies a single font within the collection.

• font subset (optional): previously loaded font subset for the given font url, or null.

• desired subset definition: a description of the desired minimum font subset.

• fetch algorithm: algorithm for fetching HTTP resources, such as [fetch]. The remainder of this section is desribed in terms of Fetch Standard § 4 Fetching, but it is allowed to substitute whatever HTTP fetching algorithm the user agent supports.

The algorithm outputs:

• Extended Font Subset: font subset that has been updated to cover at least the requested subset definition.

• Cache fields: HTTP cache fields HTTP Caching § name-field-definitions describing how client state can be cached, or null.

The algorithm:

1. Compare the desired subset definition to the font subset. If the font subset is a superset of desired subset definition then return font subset, and null for the cache fields.

2. If font subset is set then load the client state from the font subset. Client state is stored in the font subset as a table identified by the 4-byte tag 'IFTP'. The contents of the table are a single ClientState object encoded via CBOR.

   • If font subset does not have an "IFTP" table, then this is not an incrementally loaded font and cannot be extended any further. Return font subset.

3. Otherwise make an HTTP request using the fetch algorithm:

   • The request method must be either "GET" or "POST".

   • The request destination must be "font".

   • The request CORS mode must be "cors".

   • The request cache mode should be "no-store".

   • The request URL scheme must be "https".

   • The request URL path is set to the input font URL.

   • The request must include an Accept-Encoding header which lists at minimum one of the encodings from § 4.8 Patch Encodings.

   • If method is "POST" then, request body must be a single PatchRequest object encoded via CBOR.

   • Otherwise if method is "GET" then, a header with name Font-Patch-Request (the patch request header) and whose value is a single PatchRequest object encoded via CBOR and then base64url encoding [rfc4648] must be added to the request’s header list.

   Any request and/or url parameters which are not specified here should be set based on the user agent’s normal handling for font requests. For example if this font load is from a CSS font face, then CSS Fonts 4 § 4.8.2 Font fetching requirements should be followed.

   The fields of the PatchRequest object should be set as follows:

   • codepoints_have: set to exactly the set of codepoints that the current font subset contains data for. If the current font subset is not set then this field is left unset. If client state is available and has a codepoint_ordering then this field should not be set.

   • codepoints_needed: set to the set of codepoints that the client wants to add to its font subset. That is the codepoint set from desired subset definition minus the codepoints already in the font subset. If client state is available and has a codepoint_ordering then this field should not be set.

   • indices_have: encodes the set of additional codepoints that the current font subset contains data for. The codepoint values are transformed to indices by applying the § 4.7 Codepoint Reordering specified by codepoint_ordering to each codepoint value. If the client state is not available or it does not have a codepoint_ordering then this field should not be set.

   • indices_needed: encodes the set of codepoints that the client wants to add to its font subset. That is the codepoint set from desired subset definition minus the codepoints already in font subset. The codepoint values are transformed to indices by applying the § 4.7 Codepoint Reordering specified by codepoint_ordering to each codepoint value. If the client state is not available or it does not have a codepoint_ordering then this field should not be set.

   • features_have: set to the list of opentype layout feature tags that the current font subset has data for. If the current font subset is not set then this field is left unset. Additionally, if the current font subset has all data for features present in the original font then this field can be unset.

   • features_needed: set to the list of feature tags that the client wants to add to the current font subset. That is the feature set from desired subset definition minus the set of features already in font subset. If the client wishes to add all remaining layout features from the original font to it’s subset then this field should be unset.

   • axis_space_have: set to the current value of subset_axis_space saved in the client state for this font. If client state is not available then this field is unset.

   • axis_space_needed: set to the intervals of each variable axis in the original font that the client wants to add to its font subset as defined in the desired subset definition. If the client wants an entire axis from the original font then that axis should not be listed.

   • ordering_checksum: If either of indices_have or indices_needed is set then this must be set to the checksum of the codepoint_ordering saved in the client state. The checksum is computed via § 4.7.1 Codepoint Reordering Checksum.

   • original_font_checksum: Set to saved value for original_font_checksum in the client state for this font. If there is no client state leave this field unset.

   • base_checksum: Set to the checksum of the font subset. See: § 4.6 Computing Checksums.

   • fragment_id: If a fragment identifier was provided as an input then this field must be set to the provided fragment identifier, otherwise it must be left unset.

   Note: It is allowed for the client to request more codepoints then it strictly needs. For example, on slower connections it may be more performant to request extra codepoints if that is likely to prevent a future request from needing to be sent.

4. Invoke Handle server response with the response from the server and the font subset then return the result.

Note: POST is preferred for the HTTP method since it will not cause a CORS preflight request and the request object is more compactly encoded. GET should only be used during method negotiation.

4.4.2. Handling Server Response

If a server is able to succsessfully process a PatchRequest it will respond with HTTP status code 200 and the body of the response will be an encoded representation of the extended font subset. The encoded representation may be a binary patch against the current font subset.

Handle server response

Inputs:

• server response: HTTP response to a patch request.

• font subset (optional): existing font subset which is being extended. May be null.

The algorithm outputs:

• Extended Font Subset: font subset that has been updated to cover at least the requested subset definition.

• Cache fields: HTTP cache fields HTTP Caching § name-field-definitions describing how client state can be cached, or null.

The algorithm:

1. If the server response has status other than 200:

   • If it is a redirect status: follow normal redirect handling, such as Fetch Standard § 4.4 HTTP-redirect fetch and then go back to step 1.

   • If status is 412, then the server does not recognize the codepoint ordering used by the client. The client should resend the request that triggered this response but also set the codepoint_ordering field on the request to the codepoint_ordering in the client state table within font subset.

   • All other statuses, the font subset extension has failed. Invoke Handle failed font load and return the result.

2. Decode the server response body by applying the appropriate decoding as specified by the Content-Encoding header. If the Content-Encoding is one of those from § 4.8 Patch Encodings then the input font subset will be used as the source file for the decoding operation. The decoded response is the new extended font subset. Return the extended font subset and any cache headers that were set on the server response.

Handle failed font load

If the font load or extension has failed the client should choose one of the following options:

1. If the client has a saved font subset, it may choose to use that and then use the user agent’s existing font fallback mechanism for codepoints not covered by the subset.

2. The client may re-issue the request as a regular non incremental font fetch to the same path. It must not include the patch subset request parameter or header. This will load the entire original font.

3. Discard the saved font subset, and use the user agent’s existing font fallback mechanism.

4.4.3. Load a Font in a User Agent with a HTTP Cache

The previous section § 4.4.1 Extending the Font Subset provides no guidance on how a user agent should handle saving the font subset and client state between invocations of the subset extension algorithm. This section provides an algorithm that user agents which implement [fetch] should use to save the font subset to the user agent’s HTTP cache ([RFC9111]).

Load a font with a HTTP Cache

The inputs to this algorithm:

• font URL: a URL where the font to be extended is located.

• fragment identifier (optional): if the font at the font url is a font collection, the fragment identifier (The "font" Top-Level Media Type § section-4.2) identifies a single font within the collection.

• desired subset definition: a description of the desired minimum font subset.

• fetch algorithm: algorithm for fetching HTTP resources, such as [fetch]. The remainder of this section is desribed in terms of Fetch Standard § 4 Fetching, but it is allowed to substitute whatever HTTP fetching algorithm the user agent supports.

The algorithm outputs:

• A font subset which covers at minimum the input subset definition.

The algorithm:

1. Make a HTTP fetch:

   • The request method is "GET".

   • The request destination must be "font".

   • The request CORS mode must be "cors".

   • The request URL scheme must be "https".

   • The request URL path is set to the input font URL.

   • The request cache mode is "only-if-cached".

2. If the request is successful and the response is "fresh" (HTTP Caching § name-freshness) then invoke Extend the font subset with:

   • Font url set to the input font URL.

   • Fragment identifier set to the input fragment identifier

   • Font subset set to the response.

   • Desired subset definition set to the input desired subset definition.

   • Fetch algorithm set to the input fetch algorithm.

   Once that returns go to step 4.

3. Otherwise, invoke Extend the font subset with:

   • Font url set to the input font URL.

   • Fragment identifier set to the input fragment identifier

   • Font subset set to null.

   • Desired subset definition set to the input desired subset definition.

   • Fetch algorithm set to the input fetch algorithm.

   Once that returns go to step 4.

4. If the returned cache fields are non-null update the cache entry for the input font url with the returned client state and returned cache fields.

5. Return the returned font subset.

4.5. Server: Responding to a PatchRequest

If the server receives a well formed PatchRequest over HTTPS for a font the server has and that was populated according to the requirements in § 4.4.1 Extending the Font Subset then it must respond with HTTP status code 200.

The path in the request url identifies the specific font that a patch is desired for. If the request has the fragment_id field set and the file identified by path is a font collection, then fragment_id identifies the font within that collection that a patch is desired for. The identified font is referred to as the original font in the rest of this section.

From the request object the server can produce two codepoint sets:

1. Codepoints the client has: formed by the union of the codepoint sets specified by codepoints_have and indices_have. The indices in indices_have must be mapped to codepoints by the application of the codepoint reordering with a checksum matching ordering_checksum.

2. Codepoints the client needs: formed by the union of the codepoint sets specified by codepoints_needed and indices_needed. The indices in indices_needed must be mapped to codepoints by the application of the codepoint reordering with a checksum matching ordering_checksum.

Note: the request may optionally set codepoint_ordering which is used by the client to provide the exact codepoint ordering that was used to encode indices_have and indices_needed.

Likewise, the server can produce two sets of opentype layout feature tags:

1. Feature tags the client’s subset has: specified by features_have. If the field is unset this indicates the client’s subset contains all features in the original font.

2. Feature tags the client needs: specified by features_needed. If the field is unset this indicates the client wants all features in the original font.

Lastly, the server can produce two variable axis spaces:

1. Axis space the client has: specified by axis_space_have. If any axes in the font are not specified in axis_space_have then for those axes add their entire interval from the original font.

2. Axis space the client needs: specified by axis_space_needed. If any axes in the font are not specified in axis_space_needed then for those axes add their entire interval from the original font.

If the server does not recognize the codepoint ordering used by the client, it must respond with status code 412. This will instruct the client to resend the request including the codepoint ordering it has.

Otherwise when the response is decoded by the client following the process in § 4.4.2 Handling Server Response to a font subset with checksum base_checksum it must result in an extended font subset:

• That contains data for at least the union of the set of codepoints needed and the sets of codepoints the client already has.

• That contains data for at least the union of the set of features needed and the sets of features the client already has.

• That contains a variation axis space that covers at least the union of the axis space the client has and the axis space the client needs.

• That has a table which is identified by the tag 'IFTP' whose content is a single ClientState object encoded via CBOR:

  • The original_font_checksum field must be set to the checksum of the original font computed by the procedure in § 4.6 Computing Checksums.

  • The codepoint_ordering field must be set following § 4.7 Codepoint Reordering.

  • If the original font has variation axes, the subset_axis_space field must be set to the axis space covered by the font subset.

  • If the original font has variation axes, the original_axis_space field must be set to the axis space covered by the original font.

  • The original_features field must be set to the list of opentype layout feature tags that the original font has data for.

Additionally:

• The response body should be encoded by one of the content encodings listed in the Accept-Encoding header of the request. When possible the server should utilize one of the patch based encodings from § 4.8 Patch Encodings. Non-patch based encodings should only be used where the server is unable to recreate the client’s state in order to generate a patch against it.

Note: if a patch subset service is composed of more than one server task and some subset of those tasks are using a subsetter version which produces different binary results than the rest, there is a risk that consecutive extend requests may result in unnecessary replacement responses. For example if consecutive requests alternate between server backends with different subsetters, then each response will be a replacement as the server tasks will be unable to recreate the previously generated subset. This scenario might occur during software updates to the server tasks. To combat this it’s recommended that sticky load balancing is used which aims to send consecutive requests from the same client to the same server task.

Possible error responses:

• If the request is malformed the server must instead respond with http status code 400 to indicate an error.

• If the requested font is not recognized by the server it should respond with http status code 404 to indicate a not found error.

4.5.1. Range Request Support

A patch subset support server must also support incremental transfer via § 5 Range Request Incremental Transfer. To support range request incremental tranfser the patch subset server must support HTTP range requests (HTTP Semantics § range.requests) against the font files it provides via patch subset.

4.6. Computing Checksums

64 bit checksums of byte strings are computed using the [fast-hash] algorithm. A python like pseudo code version of the algorithm is presented below:

# Constant values come fast hash: https://github.com/ztanml/fast-hash
SEED = 0x11743e80f437ffe6
M = 0x880355f21e6d1965

mix(value):
  value = value ^ (value >> 23)
  value = value * 0x2127599bf4325c37
  value = value ^ (value >> 47)
  return value

fast_hash(byte[] data):
  # When casting byte arrays into unsigned 64 bit integers the bytes are in little
  # endian order. That is the smallest index is the least significant byte.
  uint64 hash = SEED ^ (length(data) * M)
  for (i = 0; i <= length(data) - 8; i += 8)
    hash = (hash ^ mix((uint64) data[i:i+8])) * M

  remaining = length(data) % 8
  if not remaining:
    return mix(hash)

  uint64 last_value = (uint64) concat(data[length(data) - remaining:],
                                      [0] * (8 - remaining))
  return mix((hash ^ mix(last_value)) * M)

To ensure checksums are consistent across all platforms, all integers during the computation are in little endian order.

Note: a C implementation of fast hash can be found here: [fast-hash]

4.7. Codepoint Reordering

A codepoint reordering for a font defines a function which maps unicode codepoint values from the font to a continuous space of [0, number of codepoints in the font). This transformation is intended to reduce the cost of representing codepoint sets.

A codepoint ordering is encoded into a IntegerList. The list must contain all unicode codepoints that are supported by the font. The index of a particular unicode codepoint in the list is the new value for that codepoint.

A server is free to choose any codepoint ordering, but should try to pick one that will minimize the size of encoded codepoint sets for that font.

4.7.1. Codepoint Reordering Checksum

A checksum of a codepoint reordering can be computed as follows:

SEED = 0x11743e80f437ffe6
M = 0x880355f21e6d1965

mix(value):
  value = value ^ (value >> 23)
  value = value * 0x2127599bf4325c37
  value = value ^ (value >> 47)
  return value

fast_hash_ordering(uint64[] ordering):
  uint64 hash = SEED ^ (length(ordering) * 8 * M)
  for i in ordering:
    hash = (hash ^ mix(ordering[i])) * M

  return mix(hash)

To ensure checksums are consistent across all platforms, all integers during the computation are in little endian order.

4.8. Patch Encodings

The following content encodings can be used to encode a target file as a patch against a source file:

5. Range Request Incremental Transfer

Range request incremental font transfer is specified in a separate document: [RangeRequest]

Privacy Considerations

Content inference from character set

IFT exposes, to the server hosting a Web font, the set of characters that the browser can already render in a given Web font, and also the set of characters that it cannot render, but wants to (for example, to render a new Web page). For details, see § 4.4.1 Extending the Font Subset.

The purpose of doing so is to allow the server to compute a binary patch to the existing font, adding more characters. Thus, fonts are transferred incrementally, as needed, which greatly reduces> the bytes transferred and the overall network cost..

For some languages, which use a very large character set (Chinese and Japanese are examples) the vast reduction in total bytes transferred means that Web fonts become usable, including on mobile networks, for the first time.

However, for those languages, it is possible that individual requests might be analyzed by a rogue font server to obtain intelligence about the type of content which is being read. It is unclear how feasible this attack is, or the computational complexity required to exploit it, unless the characters being requested are very unusual.

One mitigation, which was originally introduced for reasons of networking efficiency so is likely to be implemented in practice, is to request additional, un-needed characters to dilute the ability to infer what content the user is viewing. Requesting characters which are statistically likely to occur may avoid a subsequent request.

(IFT mandates HTTPS, so no in-the-middle attack is possible; the trust is between the client, and the server hosting the fonts).

Checksums and possible fingerprinting

In the patch subset method 64 bit checksums are generated and transferred between client and server. These are used to ensure the client and server are in sync. They detect cases such as where the original font being patched has changed or the server is not able to reproduce the clients font subset. The checksums will be stored in a browsers HTTP cache as part of the font subset and thus are subject to the cache paritioning applied by the browser. Since modern browsers cache resources keyed by the site domain, this will limit checksum availability to within the site domain and prevent them from being used for tracking.

Per-origin restriction avoids fingerprinting

As required by [css-fonts-4], Web Fonts must not be accessible in any other Document from the one which either is associated with the @font-face rule or owns the FontFaceSet. Other applications on the device must not be able to access Web Fonts. This avoids information leaking across origins.

Similarly, font palette values must only be available to the documents that reference it. Using an author-defined color palette outside of the documents that reference it would constitute a security leak since the contents of one page would be able to affect other pages, something an attacker could use as an attack vector.

Security Considerations

No Security issues have been raised against this document

Appendix A: Default Feature Tags and Encoding IDs