- From: Christopher Slye <cslye@adobe.com>
- Date: Mon, 20 Dec 2010 00:12:20 -0800
- To: John Daggett <jdaggett@mozilla.com>
- CC: "www-font@w3.org" <www-font@w3.org>, "public-i18n-core@w3.org" <public-i18n-core@w3.org>
I'm sympathetic to the security concerns, but nevertheless I do think such an advisory is relevant to WOFF. One of the stated features of WOFF is to give user agents the ability to selectively access font tables. It would be worthwhile to point out that some OT tables, while optional, might be important for layout and should not be disregarded capriciously. -Christopher On Dec 18, 2010, at 2:02 PM, John Daggett wrote: > > Hi Richard, > > This is not an issue for the WOFF spec, which deals with packaging font data. This issue is more directed at the CSS3 Fonts spec which governs the loading of fonts in user agents. The WOFF spec refers to that spec. A note in the CSS3 Fonts spec would be fine I think. > > I would also add that this issue is related to security, the user agent (Chrome) you're concerned about is not doing this for arbitrary reasons, those tables are removed because of concerns over the possibility of exploits in system libraries on various platforms. As the libraries that do OpenType shaping (HarfBuzz, Uniscribe, CoreText) become more robust, the need to shield the underlying OS libraries from arbitrary GPOS/GDEF/GSUB tables will diminish. Unfortunately, security concerns will always trump other concerns. > > Regards, > > John Daggett > > > ----- Original Message ----- > From: "Internationalization Core Working Group Issue Tracker" <sysbot+tracker@w3.org> > To: www-font@w3.org, public-i18n-core@w3.org > Sent: Thursday, December 16, 2010 4:18:48 AM > Subject: I18N-ISSUE-9: OpenType feature preservation [WOFF] > > > I18N-ISSUE-9: OpenType feature preservation [WOFF] > > http://www.w3.org/International/track/issues/9 > > Raised by: Richard Ishida > On product: WOFF > > 5. Font Data Tables, Note > http://www.w3.org/TR/WOFF/#DataTables > > WG Reviewed: Yes > > We are concerned about implementers that are ignoring OpenType feature support. This advice falls outside the scope of the WOFF spec, but we think that adding to the note at the bottom of section 5 will be very useful in alerting people to this issue. > > We suggest to add some text saying something like this: > > "The automatic removal of OpenType features such as GPOS and GSUB information at any stage in the process of deploying a WOFF file is strongly discouraged. Many writing systems around the world rely on these features for very basic display of text in the script that they use." > > > > >
Received on Monday, 20 December 2010 08:12:56 UTC