This modern web core technology being a security liability, invasive of privacy and the facilitator of modern annoyances that gets in the way of the user, (ads, interstitial space, ...) it is an expected response from the user to disable it or restrict it to the actual domain serving the page.
: http://motherfuckingwebsite.com/ and http://bettermotherfuckingwebsite.com/ and http://evenbettermotherfucking.website/
Sometimes a constraint like that can lead you to solutions even better than what you started with.
This modern trend that tries to pretend that the User Agent will always support various features or that they can simply assume that network errors never happen just makes sites look shoddy and unprofessional.
I think most people realize that there are certain limits to the combination of just html and css -- and that js can be used to change the trade-off between "good" and "perfect".
All that said, I also wish one could simply add a link to a font-file in the <head>-element and be done with it. But as web fonts are an attack vector, the people that run noscript, shouldn't be able to see that webfont either -- unless they take an action to trust the publisher in question (the site/host).
You know you can do just that, don't you ?.