- From: Xiaocheng Hu <notifications@github.com>
- Date: Wed, 07 May 2025 02:28:35 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 7 May 2025 09:28:39 UTC
xiaochengh left a comment (w3ctag/design-reviews#1057) Hi @svgeesus, the TAG discussed it and are happy with such efforts that will increase web font usage and improve the overall web interoperability, which is good. There are also certain aspects we are unsure about. Regarding security and privacy, we would ask for a more detailed security review. There are known techniques ([example](https://adragos.ro/fontleak/)) to leak the exact content (not just the character set) of an element with injected CSS, recursive imports and web fonts. The [Incremental Font Extension Algorithm](https://www.w3.org/TR/2025/WD-IFT-20250220/#extend-font-subset) seems to allow a similar pattern, so is it possible to create a similar attack? Regarding page performance, how likely will IFT negatively affect the page loading performance and therefore affect its adoption? In particular: - The patches are loaded sequentially, which is known to be a slow loading pattern. - The patches are applied sequentially, which might make the page layout unstable with multiple FOUTs. Thank you! -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1057#issuecomment-2857845270 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1057/2857845270@github.com>
Received on Wednesday, 7 May 2025 09:28:39 UTC