

Mozilla Firefox: Fix bug 475891 - getdavidhiggins
http://www.change.org/petitions/mozilla-firefox-fix-bug-475891

======
Rantenki
While hardened font parsers that were safer to deploy against arbitrarily
supplied fonts would be nice, there are already issues with turning over
control of your supplied fonts to a third party:

\- [http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-3...](http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2013-3129)

\-
[http://www.securityfocus.com/bid/61697/discuss](http://www.securityfocus.com/bid/61697/discuss)

\- [http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2010-3959](http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2010-3959)

etc. And yeah, those are generally windows vulns, but IIRC, mozilla/firefox
use the OS font rendering libraries, so these are still valid (I could be
hopelessly out of date here).

Don't get me wrong; cross domain fonts would be _really_ nice to have, and
same domain fonts don't solve the font engine vulnerabilities, as you can
still have malicious domain owners messing with fonts to mess with your
browser, but it seems like font rendering is still very early stage when it
comes to hardening. I hope that once FF is feeling good about the security of
their font rendering engine (and their dependencies), they'll start loosening
the restrictions.

This doesn't even begin to cover the font/copyright licensing issues involved
with serving fonts to all and sundry that come to your webserver...

------
mbrubeck
See
[https://news.ycombinator.com/item?id=6459988](https://news.ycombinator.com/item?id=6459988)

