W3C home > Mailing lists > Public > www-style@w3.org > April 2008

Re: WebFonts ready for use

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 30 Apr 2008 14:10:52 -0700
Cc: Erik Dahlström <ed@opera.com>, Paul Nelson <paulnel@winse.microsoft.com> (ATC), Håkon Wium Lie <howcome@opera.com>, "www-style@w3.org" <www-style@w3.org>
Message-Id: <5483F9F6-C5E8-433E-8D03-FAC5C07A354F@apple.com>
To: Brad Kemper <brkemper@comcast.net>


On Apr 30, 2008, at 7:29 AM, Brad Kemper wrote:

>
> On Apr 30, 2008, at 4:22 AM, Maciej Stachowiak wrote:
>
>>>>> Once a webfont has been installed for use in a UA I don't see  
>>>>> why it would have to be limited to the webpage that included the  
>>>>> @font-face. I'm for example thinking of the case where all the  
>>>>> systemfonts didn't contain glyphs for some particular range,  
>>>>> while a webfont happened to do so. I think in such a situation  
>>>>> it would be better to show some text using the webfont rather  
>>>>> than to show missing glyphs (usually hollow rects) or even no  
>>>>> text at all.
>>>>
>>>> I think this still creates security risk from malicious fonts.
>>>
>>> Personally I wouldn't trust any site to not serve malicious fonts.  
>>> They may do so unknowingly, or by intention. I wouldn't feel fully  
>>> confortable if the UA didn't check that the fonts were not  
>>> malicious before installing them. No matter where they were meant  
>>> to be used.
>>
>> The kind of maliciousness I am thinking of is substituting  
>> misleading glyphs to make text on other sites appear to say  
>> something other than it actually does. This is not something the UA  
>> can verify. It is also not a serious problem if a site does this to  
>> itself, but a site can't be allowed to do it to other sites.  
>> Apple's Product Security team was specifically worried about the  
>> risk of cross-site font injection like this when we described the  
>> Web Fonts feature to them, and we had to explain why it is not  
>> vulnerable.
>
> But do you agree that if both sites used some future feature of  
> @font-face to "fingerprint" the font, that if the fingerprints  
> matched the font from the first site could be used for the second  
> site? The second site would not be using a fingerprint of a font it  
> didn't want.

If the fingerprints provide cryptographically strong proof that fonts  
are bitwise identical, then it would be safe to use a shared copy. I  
would have to see a concrete proposal to evaluate it from a security  
POV.

But I think inventing a mechanism for this may be premature  
optimization. I'd like to see more evidence that font sizes are a  
major problem compared to other typical web resources, and that this  
can't be solved in simpler ways (like crunching down the fonts, and I  
would suggest script-by-script instead of character-by-character for  
more reusability).

Regards,
Maciej
Received on Wednesday, 30 April 2008 21:11:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:55:05 GMT