Re: The unmentionable from Erik van Blokland on 2009-07-29 (www-font@w3.org from July to September 2009)

From: Erik van Blokland <erik@letterror.com>
Date: Wed, 29 Jul 2009 22:17:01 +0200
To: Dirk Pranke <dpranke@google.com>
Cc: Sylvain Galineau <sylvaing@microsoft.com>, "www-font@w3.org" <www-font@w3.org>
Message-ID: <b0432b200907291317s785b78c6i8ad090d12b15a7a@mail.gmail.com>

On Wed, Jul 29, 2009 at 7:26 PM, Dirk Pranke <dpranke@google.com> wrote:

> Agreed, but I believe they do it for security concerns, not licensing
> concerns (although I'm not positive about this). I do know that the
> conversations about this in WebKit revolve primarily around security
> concerns.
>

I think the security aspect of fonts on the web has not gotten the attention
it probably deserves.
Just consider when a UA uses the OS for rendering fonts, possibly malicious
code gets to interact with processes deep in the OS, shared with other
applications. I know from unintentional experiments that a bad font can do
more damage than a malicious javascript.

I'm not saying this all by itself should be a reason for same-origin for
fonts. I bring it up with some reluctance as crying wolf nor demonstrating
would seem appropriate in a public forum. But it won't surprise me if folks
will try.

Erik

Received on Wednesday, 29 July 2009 20:17:42 UTC