Firefox3.1/Downloadable Fonts Security Review: Difference between revisions
(→Data) |
|||
| Line 33: | Line 33: | ||
== Reliability == | == Reliability == | ||
* What failure modes or decision points are presented to the user? | * What failure modes or decision points are presented to the user? | ||
None. | |||
* Can its files be corrupted by failures? Does it clean up any locks/files after crashes? | * Can its files be corrupted by failures? Does it clean up any locks/files after crashes? | ||
Font data is downloaded into the system temp directory. Under Windows, the data file is removed immediately after loading the font. On the Mac, the data file is retained until the document using the font is unloaded, so after crashes we need to clean out any leftover temp files. | |||
== Configuration == | == Configuration == | ||
Revision as of 08:40, 3 September 2008
Overview
The goal of this feature is to support the CSS3 @font-face feature, which allows fonts to be downloaded when referenced within stylesheets.
- Background links
Security and Privacy
The major concern with the introduction of this feature is that it exposes our text rendering code and the platform-specific libraries we use to attack via intentionally corrupt fonts. Evil fonts could already cause these problems with our code currently but adding support for downloadable fonts makes this far easier. Possible risk areas: handling font names, reading the character map, handling metrics, catching errors when drawing with bogus glyph data. Within our source tree this could affect code within gfx/thebes, gfx/cairo and within layout code.
Exported APIs
N/A
Module interactions
No dependency changes. Fonts are loaded by code with in the layout/style subtree and passed to gfx code for use when rendering text.
Data
- What data is read or parsed by this feature?
The @font-face feature works by downloading font data and passing it to system calls to create a font reference. This is used to create a platform font and text is rendered the same way as with a platform font.
- What is the output of this feature
Web pages rendered using downloaded fonts.
- What storage formats are used
We will be supporting the automatic download of TrueType and OpenType fonts but not Embedded OpenType or Type 1 fonts.
Reliability
- What failure modes or decision points are presented to the user?
None.
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
Font data is downloaded into the system temp directory. Under Windows, the data file is removed immediately after loading the font. On the Mac, the data file is retained until the document using the font is unloaded, so after crashes we need to clean out any leftover temp files.
Configuration
- Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
- Are there build options for developers? [#ifdefs, ac_add_options, etc.]
- What ranges for the tunable are appropriate? How are they determined?
- What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
Relationships to other projects
Are there related projects in the community?
- If so, what is the proposal's relationship to their work? Do you depend on others' work, or vice-versa?
- Are you updating, copying or changing functional areas maintained by other groups? How are you coordinating and communicating with them? Do they "approve" of what you propose?