W3C home > Mailing lists > Public > www-font@w3.org > April to June 2010

RE: Chrome to support WOFF

From: Sergey Malkin <sergeym@microsoft.com>
Date: Tue, 27 Apr 2010 17:14:11 +0000
To: John Daggett <jdaggett@mozilla.com>
CC: "www-font@w3.org" <www-font@w3.org>, Chris Lilley <chris@w3.org>, "Thomas Phinney" <tphinney@cal.berkeley.edu>
Message-ID: <E39A28CD8A7CE44CA0BDEE6269E8B0A556469E00@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com>
John Daggett says:

> Unfortunately, if obscure bugs in Uniscribe rendering can be utilized
> for exploits, browser vendors will do whatever is necessary to avoid
> that code path, even if it means less than ideal font functionality. 

You can say the same about any API from Windows or some other OS. It is 
developer's choice to use or not use particular functionality, of course.
Microsoft products (and Mozilla's too) use Uniscribe all the time with
embedded fonts. My question was exactly whether presence of already 
fixed security bugs justify unconditional crippling of very important 

> The problem here is that Uniscribe is a black box and my understanding
> is that the Chrome team did some fuzzing of those API's and found
> enough issues to be concerned (fixes for the bugs they found were
> patched in Windows updates last fall and earlier this year I believe).

I do not remember Uniscribe security fixes made last year. But I do not 
work on Uniscribe team anymore, so may've missed something. Did Chrome team 
report these issues to us?


Received on Tuesday, 27 April 2010 17:14:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:34 UTC