Comments on: Kim Jong Il, Tumblr, WebFonts and Firefox

By: Anonymous

Anonymous — Wed, 01 Feb 2012 06:50:26 +0000

Numerous browser exploits have occurred via images and scripts as well, and yet we allow third-party images and scripts all the time. Furthermore, a first-party font can exploit the browser as easily as a third-party font; don’t load third-party resources from sites you don’t trust. Firefox also implements Content Security Policy, an entirely sensible mechanism for sites to declare what third-party content (of any kind) they want to load.

The requirement of CORS for fonts exists for one reason, and one reason only: crazy font foundries wanted a way to prevent font hotlinking from other servers.

By: J. Mackerel

J. Mackerel — Tue, 31 Jan 2012 21:32:00 +0000

Actually, we do need CORS, because font implementations are neither as well-tested nor rock solid, as GIF, JPG and PNG. Remember that fonts are not just static data, they contain character maps (that are hopefully RIGHT), little bytecode programs, tons of metadata, and all kinds of craziness.

Many, many font implementations are buggy and strange, and bad font data can trigger bugs and exploitable crashes. Furthermore the Unicode spec is ginormous and hard to get right. The web font spec writers wanted a way for authors and administrators to quickly lock down these risky little things we call “fonts”, in the same way that JS and XMLHTTPRequest are locked down.

When font technology is as reliable as images and text, then we can unlock them.

By: aharoni

aharoni — Tue, 31 Jan 2012 19:43:24 +0000

Actually, i probably agree that the standard should be changed, although there may have been some reasoning behind this weirdness.

In any case, it’s not quite right to say that the issue is with Firefox, if that’s the only browser that implements the standard correctly, as idiotic as the standard may seem.

By: wreter

wreter — Tue, 31 Jan 2012 19:32:37 +0000

>but Firefox, according to the standard, doesn’t load the font from a different domain if that domain is not explicitly configured to support font loading.

Excuse me, but this part of the standard is just idiotic. We don’t need CORS for cross-domain images and we shouldn’t need it for fonts. Firefox should remove same-origin restriction and the standard should be changed to reflect the reality.