Re: [csswg-drafts] [css-fonts][css-fonts-4] CSS Fonts 4 needs a proper Security and Privacy Considerations section (#4697) from Chris Lilley via GitHub on 2020-01-24 (public-css-archive@w3.org from January 2020)

From: Chris Lilley via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Jan 2020 10:22:43 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-578072373-1579861362-sysbot+gh@w3.org>

In terms of security, at least Chrome and Firefox use the [OpenType Font Sanitizer](https://github.com/khaledhosny/ots) whose reason for existence is:

> However, on many platforms the system-level TrueType font renderers have never been part of the attack surface before, and putting them on the front line is a scary proposition... Especially on platforms like Windows, where it's a closed-source blob running with high privilege.

There is currently no mention of this security aspect in the specification, so it seems that should go into this Security and Privacy section.

-- 
GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4697#issuecomment-578072373 using your GitHub account

Received on Friday, 24 January 2020 10:22:45 UTC