- From: Cameron McCormack <cam@mcc.id.au>
- Date: Tue, 28 Jan 2014 11:40:43 -0800
- To: Sairus Patel <sppatel@adobe.com>
- CC: "robert@ocallahan.org" <robert@ocallahan.org>, Doug Schepers <schepers@w3.org>, Chris Lilley <chris@w3.org>, Daniel Flassig <d.flassig@pytha.de>, "public-svgopentype@w3.org" <public-svgopentype@w3.org>
Sairus Patel wrote: > My point was that *security-wise*, I don’t see a difference between > guarding against executing an external font file referenced by a URL vs > guarding against executing an external font file referenced by a font > family name. In either case, executing the external file could > potentially do something bad. (We’ve seen plenty of crashers related to > bad fonts, and it’s possible for a bad font to be maliciously injected > into the OS.) > > Perhaps Doug (who’s on this list) or others involved in the SVG > Integration doc could comment? The difference is that with externally referenced fonts, the person in charge of the server from which the font is downloaded can track when somebody views a document that happens to use that font. With local fonts this isn't a concern. If 'font-family: SomeLocalFont' is going to cause a crash when referenced from inside an SVG glyph because the font has bad data in it, then you'll get the same crash if you use that font from the outer HTML document. > > That would mean 'font-family:Arial' would be unusable in an SVG > image, which would be bad. > > Are you saying that any SVG images or embedded SVG documents on websites > are to be run in "secure mode" by the browser? If so, then when are SVG > images /not/ run in "secure mode” – when the entire page is an SVG > document? Just trying to understand the intended context of application > here. They are run in "secure animated mode" when used in <img> or as a CSS background image, etc. When used in an <iframe>, they're run in "dynamic interactive mode".
Received on Tuesday, 28 January 2014 19:41:28 UTC