[whatwg] font security on measureText

Rik Cabanier cabanier at gmail.com
Fri May 3 10:25:03 PDT 2013


On Fri, May 3, 2013 at 2:23 AM, Anne van Kesteren <annevk at annevk.nl> wrote:

> On Thu, May 2, 2013 at 10:49 PM, Rik Cabanier <cabanier at gmail.com> wrote:
> > Reading the Origin spec [1]:
> >
> > For fonts:
> >
> > The origin of a downloadable Web font is an alias to the origin of the
> > absolute URL used to obtain the font (after any redirects). [CSSFONTS]
> >
> > The origin of a locally installed system font is an alias to the origin
> of
> > the Document in which that font is being used.
> >
> > Fonts do not have an effective script origin.
>
> 1. That assumes tainted cross-origin as a fetching mode.
> http://fetch.spec.whatwg.org/#concept-request-mode Whereas you assume
> it uses CORS.
>

What do you mean by 'you'?
The link in Canvas from the WhatWG spec is to the above section
(Click on the 'origin' link here [1])


>
> 2. That really ought to be defined by CSS directly.
>
>
> >> Part of the problem here is that CSS lacks a bunch of text.
> >
> > What do you mean by that? Is this underspecified?
>
> CSS should say it fetches using mode CORS. That will result in a
> either a response marked CORS-same-origin or a network error. Fonts
> can be then be assumed to be safe as there is no way to obtain a
> tainted font.


OK. So it seems that the canvas spec should NOT say that the font has to be
the same origin.
It should refer to CSS portion that describes this fetching or be silent.


> (However, it is my understanding not all browsers are
> aligned on this at the moment, so you might want to make sure that
> happens first.)
>

1:
http://www.whatwg.org/specs/web-apps/current-work/multipage/the-canvas-element.html#dom-context-2d-measuretext



More information about the whatwg mailing list