- From: Brad Kemper <brkemper@comcast.net>
- Date: Wed, 30 Apr 2008 07:29:41 -0700
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Erik Dahlström <ed@opera.com>, Paul Nelson <paulnel@winse.microsoft.com> (ATC), Håkon Wium Lie <howcome@opera.com>, "www-style@w3.org" <www-style@w3.org>
On Apr 30, 2008, at 4:22 AM, Maciej Stachowiak wrote: >>>> Once a webfont has been installed for use in a UA I don't see why >>>> it would have to be limited to the webpage that included the >>>> @font-face. I'm for example thinking of the case where all the >>>> systemfonts didn't contain glyphs for some particular range, >>>> while a webfont happened to do so. I think in such a situation it >>>> would be better to show some text using the webfont rather than >>>> to show missing glyphs (usually hollow rects) or even no text at >>>> all. >>> >>> I think this still creates security risk from malicious fonts. >> >> Personally I wouldn't trust any site to not serve malicious fonts. >> They may do so unknowingly, or by intention. I wouldn't feel fully >> confortable if the UA didn't check that the fonts were not >> malicious before installing them. No matter where they were meant >> to be used. > > The kind of maliciousness I am thinking of is substituting > misleading glyphs to make text on other sites appear to say > something other than it actually does. This is not something the UA > can verify. It is also not a serious problem if a site does this to > itself, but a site can't be allowed to do it to other sites. Apple's > Product Security team was specifically worried about the risk of > cross-site font injection like this when we described the Web Fonts > feature to them, and we had to explain why it is not vulnerable. But do you agree that if both sites used some future feature of @font- face to "fingerprint" the font, that if the fingerprints matched the font from the first site could be used for the second site? The second site would not be using a fingerprint of a font it didn't want.
Received on Wednesday, 30 April 2008 14:30:26 UTC