W3C home > Mailing lists > Public > public-webfonts-wg@w3.org > April 2010

Re: Comment on WOFF file format 'origCheckSum' value

From: Jonathan Kew <jfkthame@googlemail.com>
Date: Thu, 29 Apr 2010 17:49:14 +0100
Cc: public-webfonts-wg@w3.org
Message-Id: <366D0D00-30D2-45B9-A867-0DC6F849A4FD@gmail.com>
To: "Levantovsky, Vladimir" <Vladimir.Levantovsky@MonotypeImaging.com>
> I believe that it would be a good idea to add the checksum for WOFF data, ....

This is certainly something we can discuss. I don't think I have a strong opinion on it at the moment; it wouldn't be difficult to do, but on the other hand I don't see much value in it either.

> While checksum check isn't likely to stop someone who is trying to exploit font data download as a security hole, it would seem to make sense to assume that valid font file should have proper checksum values, and a mismatch would indicate a corrupted data.

That was the approach we took previously (in our TrueType/OpenType support), but there turned out to be enough fonts in use in the wild with incorrect checksums -- which nobody else was apparently validating, so as far as users were concerned the fonts were working fine everywhere except Firefox's @font-face -- that we decided to also ignore checksums in the interests of more consistent behavior.

In effect, most other current software seems to treat the "checksum" fields as random padding.

Jonathan
Received on Thursday, 29 April 2010 16:49:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 29 April 2010 16:49:51 GMT