Re: WebFonts ready for use

On Wed, 30 Apr 2008 12:29:25 +0200, Maciej Stachowiak <>  

> On Apr 30, 2008, at 1:15 AM, Erik Dahlström wrote:
>> On Tue, 29 Apr 2008 04:17:45 +0200, Maciej Stachowiak <>  
>> wrote:
>>> On Apr 22, 2008, at 8:13 PM, Brad Kemper wrote:
>>>> On Apr 22, 2008, at 2:50 PM, Paul Nelson (ATC) wrote:


>>> What is not OK (in my opinion) is exposing the font to Web pages that  
>>> don't have an @font-face rule for it in their stylesheet,
>> Once a webfont has been installed for use in a UA I don't see why it  
>> would have to be limited to the webpage that included the @font-face.  
>> I'm for example thinking of the case where all the systemfonts didn't  
>> contain glyphs for some particular range, while a webfont happened to  
>> do so. I think in such a situation it would be better to show some text  
>> using the webfont rather than to show missing glyphs (usually hollow  
>> rects) or even no text at all.
> I think this still creates security risk from malicious fonts.

Personally I wouldn't trust any site to not serve malicious fonts. They  
may do so unknowingly, or by intention. I wouldn't feel fully confortable  
if the UA didn't check that the fonts were not malicious before installing  
them. No matter where they were meant to be used.

> Also, it would make it difficult for authors to serve a font only  
> licensed for embedding in documents they produce, since the UA may use  
> it for other documents without any deliberate action on the part of  
> either the site or the user.
>>> or installing it on the system where random documents and applications  
>>> can see it. That would be a security risk and would not even  
>>> conceptually be embedding.
>> I agree it shouldn't be installed on the system so that other  
>> applications can see it.
> I think unrelated pages that do not request the font are conceptually  
> the same as other applications, for purposes of this analysis.

And what if the page requested the font, for example by providing a list  
of font-families? It might well be that a platform didn't have "Helvetica"  
installed, but another site offered this font? Or do you mean request by  
having an @font-face definition?


Erik Dahlstrom, Core Technology Developer, Opera Software
Co-Chair, W3C SVG Working Group
Personal blog:

Received on Wednesday, 30 April 2008 11:01:31 UTC