Re: The unmentionable

On Wed, Jul 29, 2009 at 1:17 PM, Erik van Blokland<erik@letterror.com> wrote:
> On Wed, Jul 29, 2009 at 7:26 PM, Dirk Pranke <dpranke@google.com> wrote:
>>
>> Agreed, but I believe they do it for security concerns, not licensing
>> concerns (although I'm not positive about this). I do know that the
>> conversations about this in WebKit revolve primarily around security
>> concerns.
>
>
> I think the security aspect of fonts on the web has not gotten the attention
> it probably deserves.
> Just consider when a UA uses the OS for rendering fonts, possibly malicious
> code gets to interact with processes deep in the OS, shared with other
> applications. I know from unintentional experiments that a bad font can do
> more damage than a malicious javascript.
>
> I'm not saying this all by itself should be a reason for same-origin for
> fonts. I bring it up with some reluctance as crying wolf nor demonstrating
> would seem appropriate in a public forum. But it won't surprise me if folks
> will try.

This begins to wander off-topic, but it absolutely is getting
attention on the Chromium lists, which is probably not surprising
given Chromium's desire to sandbox everything and the fact that font
rendering runs with great privilege on Windows (and also the Mac, I
believe). Single-origin is a mitigating factor, but not a great one,
which is why Chromium's support for OTF/TTF is still not on by default
in the shipping production version (it can be enabled by a command
flag, I think). We're looking at sanitizing and/or transcoding fonts
for that very reason, just as sites like Flickr reencode images to
ensure that they're safe for download as well.

Which makes the idea of a new font format that has to be converted to
something natively supported either better or worse, I'm not sure
which ;)

-- Dirk

Received on Wednesday, 29 July 2009 20:33:35 UTC