W3C home > Mailing lists > Public > www-style@w3.org > August 2006

RE: Web Fonts

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 24 Aug 2006 21:52:34 +0000 (UTC)
To: "Paul Nelson (ATC)" <paulnel@winse.microsoft.com>
Cc: www-style@w3.org
Message-ID: <Pine.LNX.4.62.0608242145330.10139@dhalsim.dreamhost.com>

On Thu, 24 Aug 2006, Paul Nelson (ATC) wrote:
> 
> If a UA is going to take complex files, like fonts, from the web, they 
> will need to be ready for fonts that have pointers outside of the font, 
> don't have sentenals at the ends of cmaps, and all sorts of other things 
> of that nature.

The same applies to complex files like images, videos, sound files, 
interactive animations, and even scripts, stylesheets, and documents.

That's not to say fonts are easy to handle, but it seems like this is not 
a relevant argument against howcome's proposal. The same problem exists 
even without automated downloading: regardless of the Web, you don't want 
crash bugs to exist in the OS font code. The OS font subsystem should, 
like all subsystems, be designed from the ground up with the expectation 
that it will be faced with corrupt data, intentionally or not.


> The @font-face is not the issue. The only issue is that other UAs have 
> not yet released the ability to get font files that way.

So there isn't a security issue specific to zip-files? (You suggested in 
an earlier e-mail that there was a zip-file-specific security problem, 
which I am concerned about since some UAs depend on zip-files a lot.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 24 August 2006 21:52:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:46 GMT