- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 30 Apr 2008 14:10:52 -0700
- To: Brad Kemper <brkemper@comcast.net>
- Cc: Erik Dahlström <ed@opera.com>, Paul Nelson <paulnel@winse.microsoft.com> (ATC), Håkon Wium Lie <howcome@opera.com>, "www-style@w3.org" <www-style@w3.org>
On Apr 30, 2008, at 7:29 AM, Brad Kemper wrote: > > On Apr 30, 2008, at 4:22 AM, Maciej Stachowiak wrote: > >>>>> Once a webfont has been installed for use in a UA I don't see >>>>> why it would have to be limited to the webpage that included the >>>>> @font-face. I'm for example thinking of the case where all the >>>>> systemfonts didn't contain glyphs for some particular range, >>>>> while a webfont happened to do so. I think in such a situation >>>>> it would be better to show some text using the webfont rather >>>>> than to show missing glyphs (usually hollow rects) or even no >>>>> text at all. >>>> >>>> I think this still creates security risk from malicious fonts. >>> >>> Personally I wouldn't trust any site to not serve malicious fonts. >>> They may do so unknowingly, or by intention. I wouldn't feel fully >>> confortable if the UA didn't check that the fonts were not >>> malicious before installing them. No matter where they were meant >>> to be used. >> >> The kind of maliciousness I am thinking of is substituting >> misleading glyphs to make text on other sites appear to say >> something other than it actually does. This is not something the UA >> can verify. It is also not a serious problem if a site does this to >> itself, but a site can't be allowed to do it to other sites. >> Apple's Product Security team was specifically worried about the >> risk of cross-site font injection like this when we described the >> Web Fonts feature to them, and we had to explain why it is not >> vulnerable. > > But do you agree that if both sites used some future feature of > @font-face to "fingerprint" the font, that if the fingerprints > matched the font from the first site could be used for the second > site? The second site would not be using a fingerprint of a font it > didn't want. If the fingerprints provide cryptographically strong proof that fonts are bitwise identical, then it would be safe to use a shared copy. I would have to see a concrete proposal to evaluate it from a security POV. But I think inventing a mechanism for this may be premature optimization. I'd like to see more evidence that font sizes are a major problem compared to other typical web resources, and that this can't be solved in simpler ways (like crunching down the fonts, and I would suggest script-by-script instead of character-by-character for more reusability). Regards, Maciej
Received on Wednesday, 30 April 2008 21:11:30 UTC