

Firefox 4: OpenType font feature support - mgunes
http://hacks.mozilla.org/2010/11/firefox-4-font-feature-support/

======
brondaire
Several years ago, the WebKit folks added support for web fonts (TrueType
fonts, in particular). It seemed harmless enough.

They didn't talk to the core OS X people, who assumed that fonts would largely
be trusted entities. The file format for TTF is quite complex, in reality, and
allows for a wide variety of attack. At that time, there were dozens of easily
exploitable vulnerabilities in how OS X handled TTF fonts.

Most of these have been fixed by now, however. I would assume the Mozilla
foundation would have the foresight to avoid a repeat of such situations, and
all rendering code would have been fully fuzzed.

~~~
mbrubeck
Yes, Mozilla's security does have a font fuzzer (along with the JavaScript
fuzzer and DOM fuzzer that have been instrumental in finding security holes
before the bad guys do):

[http://www.squarefree.com/2010/07/14/fuzzing-talk-at-the-
moz...](http://www.squarefree.com/2010/07/14/fuzzing-talk-at-the-mozilla-
summit/)

[https://wiki.mozilla.org/Firefox3.1/Downloadable_Fonts_Secur...](https://wiki.mozilla.org/Firefox3.1/Downloadable_Fonts_Security_Review)

------
alanh
Fantastic :)

(Demo is a bit odd, though — it won’t let me use the backspace key to navigate
back, no matter where I click.)

------
alexknight
Great news for typography lovers.

