W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2010

[whatwg] Need document.available_fonts() call

From: Ashley Sheridan <ash@ashleysheridan.co.uk>
Date: Tue, 11 May 2010 12:28:34 +0100
Message-ID: <1273577314.21168.136.camel@localhost>
On Tue, 2010-05-11 at 12:32 +0300, Eitan Adler wrote:

> > Please note there's a rather strong privacy issue here. I don't want a
> > web page to be able - without my prior consent - to query the list of
> > fonts available in my system.
> 
> You already have this problem if a website were to create a list of
> elements with a list of different fonts and use Javascript to
> determine which font is being displayed. [1]
> 
> I'm not advocating opening another hole just because one already
> exists - I'm just pointing this out.
> 
> [1] http://www.lalit.org/lab/javascript-css-font-detect


It's not as clear cut as you make it sound. That script works on the
basis that the glyphs within a font have different widths compared to
the same glyph of another font. What happens when two fonts have exactly
the same dimensions for their glyphs? The script will register a false
positive. As such, I don't think its a security flaw or anything to
overly worry about.

Thanks,
Ash
http://www.ashleysheridan.co.uk


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100511/0b2dec2e/attachment.htm>
Received on Tuesday, 11 May 2010 04:28:34 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:23 UTC