On Apr 30, 2008, at 4:22 AM, Maciej Stachowiak wrote: >>>> Once a webfont has been installed for use in a UA I don't see why >>>> it would have to be limited to the webpage that included the >>>> @font-face. I'm for example thinking of the case where all the >>>> systemfonts didn't contain glyphs for some particular range, >>>> while a webfont happened to do so. I think in such a situation it >>>> would be better to show some text using the webfont rather than >>>> to show missing glyphs (usually hollow rects) or even no text at >>>> all. >>> >>> I think this still creates security risk from malicious fonts. >> >> Personally I wouldn't trust any site to not serve malicious fonts. >> They may do so unknowingly, or by intention. I wouldn't feel fully >> confortable if the UA didn't check that the fonts were not >> malicious before installing them. No matter where they were meant >> to be used. > > The kind of maliciousness I am thinking of is substituting > misleading glyphs to make text on other sites appear to say > something other than it actually does. This is not something the UA > can verify. It is also not a serious problem if a site does this to > itself, but a site can't be allowed to do it to other sites. Apple's > Product Security team was specifically worried about the risk of > cross-site font injection like this when we described the Web Fonts > feature to them, and we had to explain why it is not vulnerable. But do you agree that if both sites used some future feature of @font- face to "fingerprint" the font, that if the fingerprints matched the font from the first site could be used for the second site? The second site would not be using a fingerprint of a font it didn't want.Received on Wednesday, 30 April 2008 14:30:26 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:55:05 GMT