[whatwg] font security on measureText

Rik Cabanier cabanier at gmail.com
Thu May 2 14:49:58 PDT 2013

On Thu, May 2, 2013 at 2:38 PM, Anne van Kesteren <annevk at annevk.nl> wrote:

> On Thu, May 2, 2013 at 10:36 PM, Rik Cabanier <cabanier at gmail.com> wrote:
> > Does anyone know what this is? It seems to us, that if the font is
> > available to CSS (depending on if the browser supports CORS for fonts),
> it
> > should be fine to call measureText.
> In that case the font's origin would be the Document's origin though.

Reading the Origin spec [1]:

For fonts:

The origin of a downloadable Web font is an alias to the origin of the
absolute URL used to obtain the font (after any redirects). [CSSFONTS]

The origin of a locally installed system font is an alias to the origin of
the Document in which that font is being used.

Fonts do not have an effective script origin.

So, if my css specifies a font:

@font-face {
font-family: "Bitstream Vera Serif Bold";
src: url("http://developer.mozilla.org/@api/deki/files/2934/=VeraSeBd.ttf");


it seems that the origin of the font is not the same as the document so
measureText won't work. (I'm not that familiar with the verbiage so I might
be mistaken)

Part of the problem here is that CSS lacks a bunch of text.

What do you mean by that? Is this underspecified?


More information about the whatwg mailing list