Re: [csswg-drafts] [css-fonts] limit local fonts to those selected by users in browser settings (or other browser chrome) (#4497) from Alan Stearns via GitHub on 2020-03-02 (public-css-archive@w3.org from March 2020)

From: Alan Stearns via GitHub <sysbot+gh@w3.org>
Date: Mon, 02 Mar 2020 15:16:21 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-593452824-1583162180-sysbot+gh@w3.org>

@r12a I do not think it is practical to prevent this information leak, if the fonts can be used to lay out web content. As I understand it, the attack is to lay out some text, measure it, change the font, measure again. If the measurement changes then the font is available on the user's system. Repeat these steps 100-10000 times and you get some useful information about their installed font set. We would have to disallow measuring of laid-out content to prevent the leak, which would break a lot of the web.

-- 
GitHub Notification of comment by astearns
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4497#issuecomment-593452824 using your GitHub account

Received on Monday, 2 March 2020 15:16:22 UTC