W3C home > Mailing lists > Public > www-style@w3.org > August 2006

RE: Web Fonts

From: Paul Nelson (ATC) <paulnel@winse.microsoft.com>
Date: Thu, 24 Aug 2006 14:36:34 -0700
Message-ID: <49C257E2C13F584790B2E302E021B6F910EFDA78@winse-msg-01.segroup.winse.corp.microsoft.com>
To: "Anne van Kesteren" <annevk@opera.com>, Håkon Wium Lie <howcome@opera.com>
CC: <www-style@w3.org>

Of course the security risk is there for any type of font file loaded from the URL. Microsoft support loading .EOT files from the @font-face (and has for years). We spend a good part of the past couple of years to make our downloading, validation and temporary installation more robust. Why? Because there were sites that were installing corrupt fonts that would crash or attempt to crash Windows. 

If a UA is going to take complex files, like fonts, from the web, they will need to be ready for fonts that have pointers outside of the font, don't have sentenals at the ends of cmaps, and all sorts of other things of that nature.

The @font-face is not the issue. The only issue is that other UAs have not yet released the ability to get font files that way.

Paul


-----Original Message-----
From: Anne van Kesteren [mailto:annevk@opera.com] 
Sent: Thursday, August 24, 2006 8:48 PM
To: Paul Nelson (ATC); Håkon Wium Lie
Cc: www-style@w3.org
Subject: Re: Web Fonts

On Thu, 24 Aug 2006 13:49:57 +0200, Paul Nelson (ATC) <paulnel@winse.microsoft.com> wrote:
> My guess is that even if some browsers choose to push ahead with this 
> type of mechanism, there will be some who view this as too large of a 
> security and/or legal risk to pursue.

I sort of get the "legal risk," but could you elaborate on what type of security issues are involved and why they don't exist for the existing @font-face mechanism, for example?


--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 24 August 2006 21:36:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:46 GMT