- From: Chris Lilley <notifications@github.com>
- Date: Wed, 07 May 2025 13:51:01 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 7 May 2025 20:51:06 UTC
svgeesus left a comment (w3ctag/design-reviews#1057) > Regarding security and privacy, we would ask for a more detailed security review. There are known techniques ([example](https://adragos.ro/fontleak/)) to leak the exact content (not just the character set) of an element with injected CSS, recursive imports and web fonts. The [Incremental Font Extension Algorithm](https://www.w3.org/TR/2025/WD-IFT-20250220/#extend-font-subset) seems to allow a similar pattern, so is it possible to create a similar attack? In general, that attack would be the same if the font is served as: - IFT - WOFF2 - WOFF1 - OpenType I have opened an issue anyway - https://github.com/w3c/IFT/issues/272 but as far as I can tell this is not specific to IFT. The performance (2400 characters in 7 **minutes**, limited to ASCII characters only) also looks to be self-limiting. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1057#issuecomment-2860318715 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1057/2860318715@github.com>
Received on Wednesday, 7 May 2025 20:51:06 UTC