- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Thu, 30 Jun 2011 09:42:05 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: www-style@w3.org, www-font@w3.org, public-webfonts-wg@w3.org
On Thu, Jun 30, 2011 at 9:25 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 6/30/11 12:09 PM, Glenn Adams wrote: >> >> There is no mechanism to allow script content to access font data, even >> by inference > > Given that you can draw text into a canvas, this seems to be an incorrect > claim. > > And, importantly, new mechanisms of various sorts are getting added all the > time. Preventing unintentional leakage is _hard_. See > http://lists.w3.org/Archives/Public/www-svg/2008Sep/0112.html for example. Even more importantly, we already have a proof-of-concept attack on glyph data, at least, due to the fact that most impls optimize font-drawing and no-op if a glyph is being drawn outside the bounds of the canvas. You can just make a 1x1 canvas, shift the position of the drawn text around, and use timing to tell whether the pixel is inside or outside the glyph. Larger font sizes give you more detail. There simply is no real distinction between reading and embedding, just a gradient of difficulty. If you want to prevent reading, you have to prevent embedding as well. ~TJ
Received on Thursday, 30 June 2011 16:43:12 UTC