- From: John Hudson <tiro@tiro.com>
- Date: Wed, 29 Jul 2009 14:02:38 -0700
- CC: "www-font@w3.org" <www-font@w3.org>
I pulled this out with a new subject line because I thought it deserved attention even though, as Dirk pointed out in a response under the old subject, it is beginning to head off topic. Whatever security is, it isn't unmentionable. Erik van Blokland wrote: > I think the security aspect of fonts on the web has not gotten the > attention it probably deserves. > Just consider when a UA uses the OS for rendering fonts, possibly > malicious code gets to interact with processes deep in the OS, shared > with other applications. I know from unintentional experiments that a > bad font can do more damage than a malicious javascript. > I'm not saying this all by itself should be a reason for same-origin for > fonts. I bring it up with some reluctance as crying wolf nor > demonstrating would seem appropriate in a public forum. But it won't > surprise me if folks will try. Indeed. Even with Type 1 PostScript it was possible to bring down a system with a font, as I discovered in 1995. I didn't even know what had caused the problem until I was restoring folder-by-folder and hit this font. JH
Received on Wednesday, 29 July 2009 21:03:19 UTC