Re: SVG Text elements within glyphs from Sairus Patel on 2014-01-28 (public-svgopentype@w3.org from January 2014)

From: Sairus Patel <sppatel@adobe.com>
Date: Tue, 28 Jan 2014 19:36:06 +0000
To: "robert@ocallahan.org" <robert@ocallahan.org>, Doug Schepers <schepers@w3.org>
CC: Chris Lilley <chris@w3.org>, Cameron McCormack <cam@mcc.id.au>, "Daniel Flassig" <d.flassig@pytha.de>, "public-svgopentype@w3.org" <public-svgopentype@w3.org>
Message-ID: <CF0D3EB1.2D718%sppatel@adobe.com>

My point was that *security-wise*, I don't see a difference between guarding against executing an external font file referenced by a URL vs guarding against executing an external font file referenced by a font family name. In either case, executing the external file could potentially do something bad. (We've seen plenty of crashers related to bad fonts, and it's possible for a bad font to be maliciously injected into the OS.)

Perhaps Doug (who's on this list) or others involved in the SVG Integration doc could comment?

> That would mean 'font-family:Arial' would be unusable in an SVG image, which would be bad.

Are you saying that any SVG images or embedded SVG documents on websites are to be run in "secure mode" by the browser? If so, then when are SVG images not run in "secure mode" - when the entire page is an SVG document? Just trying to understand the intended context of application here.

Thanks,
Sairus

From: Robert O'Callahan <robert@ocallahan.org<mailto:robert@ocallahan.org>>
Reply-To: Robert O'Callahan <robert@ocallahan.org<mailto:robert@ocallahan.org>>
Date: Monday, January 27, 2014 at 6:50 PM
To: Sairus Patel <sppatel@adobe.com<mailto:sppatel@adobe.com>>
Cc: Chris Lilley <chris@w3.org<mailto:chris@w3.org>>, Cameron McCormack <cam@mcc.id.au<mailto:cam@mcc.id.au>>, Daniel Flassig <d.flassig@pytha.de<mailto:d.flassig@pytha.de>>, "public-svgopentype@w3.org<mailto:public-svgopentype@w3.org>" <public-svgopentype@w3.org<mailto:public-svgopentype@w3.org>>
Subject: Re: SVG Text elements within glyphs

On Tue, Jan 28, 2014 at 3:22 PM, Sairus Patel <sppatel@adobe.com<mailto:sppatel@adobe.com>> wrote:
Actually, 'font-family' seems to fit the intent of "external references" in the document SVG Integration (https://svgwg.org/specs/integration/#definitions), though not explicitly mentioned in the list of examples.

Whether the external font file is "link[ed] to" with an explicit data URI or an OS font family name (or one of the generic family names e.g. serif, for that matter) shouldn't make a difference, right? It's still an external blob that's "render[ed] or process[ed] in the context of the current file [the SVG doc of the SVG-in-OT font]," and should thus be verboten (quotes are from the above link).

I don't think font-family is or should be considered an external reference. That would mean 'font-family:Arial' would be unusable in an SVG image, which would be bad.

Rob
--
Jtehsauts  tshaei dS,o n" Wohfy  Mdaon  yhoaus  eanuttehrotraiitny  eovni le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o  Whhei csha iids  teoa stiheer :p atroa lsyazye,d  'mYaonu,r  "sGients  uapr,e  tfaokreg iyvoeunr, 'm aotr  atnod  sgaoy ,h o'mGee.t"  uTph eann dt hwea lmka'n?  gBoutt  uIp  waanndt  wyeonut  thoo mken.o w

Received on Tuesday, 28 January 2014 19:36:56 UTC