Firefox3.1/Downloadable Fonts Security Review
The goal of this feature is to support the CSS3 @font-face feature, which allows fonts to be downloaded when referenced within stylesheets.
- Background links
- Bug 70132 downloadable fonts meta bug
- Draft CSS3 Fonts spec, detailing @font-face
- Font format specs:
- API's for handling loadable fonts:
- Security issue tracking bugs:
Security and Privacy
The major concern with the introduction of this feature is that it exposes our text rendering code and the platform-specific libraries we use to attack via intentionally corrupt fonts. Evil fonts could already cause these problems with our code currently but adding support for downloadable fonts makes this far easier. Possible risk areas: handling font names, reading the character map, handling metrics, catching errors when drawing with bogus glyph data. Within our source tree this could affect code within gfx/thebes, gfx/cairo and within layout code.
No dependency changes. Fonts are loaded by code with in the layout/style subtree and passed to gfx code for use when rendering text.
- What data is read or parsed by this feature?
- The @font-face feature works by downloading font data and passing it to system calls to create a font reference. This is used to create a platform font and text is rendered the same way as with a platform font.
- What is the output of this feature
- Web pages rendered using downloaded fonts.
- What storage formats are used
- We will be supporting the automatic download of TrueType and OpenType fonts but not Embedded OpenType or Type 1 fonts.
- What failure modes or decision points are presented to the user?
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
- Font data is downloaded into the system temp directory. Under Windows, the data file is removed immediately after loading the font. On the Mac, the data file is retained until the document using the font is unloaded, so after crashes we need to clean out any leftover temp files.
There are two pref settings for this feature:
- gfx.downloadable_fonts.enabled - boolean, enable/disable downloadable fonts, enabled by default
- gfx.downloadable_fonts.same-site-origin.enabled - boolean, enable/disable same-origin restriction, enabled by default
Other than these there are no other environment variables that affect this feature. I am considering adding some logging to allow problems with downloadable fonts to be diagnosed.
Relationships to other projects
Are there related projects in the community?
- we're supporting OpenType CFF and TrueType fonts everywhere. In addition we're supporting Apple Advanced Typography fonts on Mac.
- windows probably supports bitmap fonts in an openType container. We should disable this explicitly for web-compat reasons so people don't get lured into making windows-only pages.
- need to audit places in thebes/cairo that use metrics that come from the font itself (which might be malicious)
- need to write or aquire a binary fuzzer (swapping bits/metrics)
- can also fuzz by dumping to XML and messing with the hinting. Hinting is a limited scripting/bytecode language.
- Uniscribe on Windows, pango on linux, atsui on mac. We may be exposing features here that are not well tested on the OS. Probably worth fuzzing the OS features directly.
- Font downloads are limited to same-origin with the document (not the style-sheet).
- Redirects need to be watched.
- Will be adding support for access-control for cross-site fonts.
- There's a pref "kill-switch" to disable this just in case.
- bug 458861 was a persistent mac font cache corruption. We need to somehow validate the data to some degree. Should we insist on a new MIME type and only allow those?