[whatwg] Need document.available_fonts() call

On Tue, 2010-05-11 at 12:32 +0300, Eitan Adler wrote:

> > Please note there's a rather strong privacy issue here. I don't want a
> > web page to be able - without my prior consent - to query the list of
> > fonts available in my system.
> 
> You already have this problem if a website were to create a list of
> elements with a list of different fonts and use Javascript to
> determine which font is being displayed. [1]
> 
> I'm not advocating opening another hole just because one already
> exists - I'm just pointing this out.
> 
> [1] http://www.lalit.org/lab/javascript-css-font-detect


It's not as clear cut as you make it sound. That script works on the
basis that the glyphs within a font have different widths compared to
the same glyph of another font. What happens when two fonts have exactly
the same dimensions for their glyphs? The script will register a false
positive. As such, I don't think its a security flaw or anything to
overly worry about.

Thanks,
Ash
http://www.ashleysheridan.co.uk


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100511/0b2dec2e/attachment.htm>

Received on Tuesday, 11 May 2010 04:28:34 UTC