W3C home > Mailing lists > Public > www-style@w3.org > April 2008

Re: WebFonts ready for use

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 30 Apr 2008 04:22:38 -0700
Cc: Brad Kemper <brkemper@comcast.net>, Paul Nelson <paulnel@winse.microsoft.com> (ATC), Håkon Wium Lie <howcome@opera.com>, "www-style@w3.org" <www-style@w3.org>
Message-Id: <FEA14ECA-9610-408C-8D5A-E231AEADC900@apple.com>
To: Erik Dahlström <ed@opera.com>


On Apr 30, 2008, at 4:02 AM, Erik Dahlström wrote:

> On Wed, 30 Apr 2008 12:29:25 +0200, Maciej Stachowiak  
> <mjs@apple.com> wrote:
>
>> On Apr 30, 2008, at 1:15 AM, Erik Dahlström wrote:
>>
>>> On Tue, 29 Apr 2008 04:17:45 +0200, Maciej Stachowiak  
>>> <mjs@apple.com> wrote:
>>>
>>>> On Apr 22, 2008, at 8:13 PM, Brad Kemper wrote:
>>>>
>>>>>
>>>>> On Apr 22, 2008, at 2:50 PM, Paul Nelson (ATC) wrote:
>
> ...
>
>>>> What is not OK (in my opinion) is exposing the font to Web pages  
>>>> that don't have an @font-face rule for it in their stylesheet,
>>>
>>> Once a webfont has been installed for use in a UA I don't see why  
>>> it would have to be limited to the webpage that included the @font- 
>>> face. I'm for example thinking of the case where all the  
>>> systemfonts didn't contain glyphs for some particular range, while  
>>> a webfont happened to do so. I think in such a situation it would  
>>> be better to show some text using the webfont rather than to show  
>>> missing glyphs (usually hollow rects) or even no text at all.
>>
>> I think this still creates security risk from malicious fonts.
>
> Personally I wouldn't trust any site to not serve malicious fonts.  
> They may do so unknowingly, or by intention. I wouldn't feel fully  
> confortable if the UA didn't check that the fonts were not malicious  
> before installing them. No matter where they were meant to be used.

The kind of maliciousness I am thinking of is substituting misleading  
glyphs to make text on other sites appear to say something other than  
it actually does. This is not something the UA can verify. It is also  
not a serious problem if a site does this to itself, but a site can't  
be allowed to do it to other sites. Apple's Product Security team was  
specifically worried about the risk of cross-site font injection like  
this when we described the Web Fonts feature to them, and we had to  
explain why it is not vulnerable.

>> Also, it would make it difficult for authors to serve a font only  
>> licensed for embedding in documents they produce, since the UA may  
>> use it for other documents without any deliberate action on the  
>> part of either the site or the user.
>>
>>>> or installing it on the system where random documents and  
>>>> applications can see it. That would be a security risk and would  
>>>> not even conceptually be embedding.
>>>
>>> I agree it shouldn't be installed on the system so that other  
>>> applications can see it.
>>
>> I think unrelated pages that do not request the font are  
>> conceptually the same as other applications, for purposes of this  
>> analysis.
>
> And what if the page requested the font, for example by providing a  
> list of font-families? It might well be that a platform didn't have  
> "Helvetica" installed, but another site offered this font? Or do you  
> mean request by having an @font-face definition?

I mean having an @font-face definition.

Regards,
Maciej
Received on Wednesday, 30 April 2008 11:23:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:55:05 GMT