[chromium-dev] Re: Full pass of acid3.
Yes, we are working on some ideas to address known security issues of CSS3 Web Fonts. The engineer in Tokyo is now checking some implementation to see how effective the idea is and consider how to improve it to become safer. Takuya On Sun, Jul 5, 2009 at 1:57 AM, Ian Fette i...@chromium.org wrote: There are a few people looking at doing this safely (including part of the team in Tokyo). There are ideas on how to do this in a reasonably safe manner and they are being explored. The security review is not in progress - previous status was Bad, there was work done to come up with ways to address said concerns, and now work is being done to try to implement those ideas - security review will happen again once those ideas are implemented. -Ian 2009/7/4 Peter Kasting pkast...@google.com On Fri, Jul 3, 2009 at 9:34 PM, Darin Fisher da...@chromium.org wrote: http://code.google.com/p/chromium/issues/detail?id=9633 I see. Is the security review for these in progress? Seems like I saw some concerns about embeddable fonts... are those fixable? I would be sad to see these off-by-default for an indefinite time. PK --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Full pass of acid3.
On Fri, Jul 3, 2009 at 9:34 PM, Darin Fisher da...@chromium.org wrote: http://code.google.com/p/chromium/issues/detail?id=9633 I see. Is the security review for these in progress? Seems like I saw some concerns about embeddable fonts... are those fixable? I would be sad to see these off-by-default for an indefinite time. PK --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Full pass of acid3.
There are a few people looking at doing this safely (including part of the team in Tokyo). There are ideas on how to do this in a reasonably safe manner and they are being explored. The security review is not in progress - previous status was Bad, there was work done to come up with ways to address said concerns, and now work is being done to try to implement those ideas - security review will happen again once those ideas are implemented. -Ian 2009/7/4 Peter Kasting pkast...@google.com On Fri, Jul 3, 2009 at 9:34 PM, Darin Fisher da...@chromium.org wrote: http://code.google.com/p/chromium/issues/detail?id=9633 I see. Is the security review for these in progress? Seems like I saw some concerns about embeddable fonts... are those fixable? I would be sad to see these off-by-default for an indefinite time. PK --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Full pass of acid3.
On Sat, Jul 4, 2009 at 9:57 AM, Ian Fette i...@chromium.org wrote: There are a few people looking at doing this safely (including part of the team in Tokyo). There are ideas on how to do this in a reasonably safe manner and they are being explored. The security review is not in progress - previous status was Bad, there was work done to come up with ways to address said concerns, and now work is being done to try to implement those ideas - security review will happen again once those ideas are implemented. So did Mozilla just elect to ship Fx 3.5 with similar vulnerabilities, or are we vulnerable in ways they aren't, or are these not well-understood outside the Chromium community (which would surprise me)? I ask because @font-face support is one of the big talking points in the press for Fx 3.5. I assume that's the same feature. PK --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Full pass of acid3.
On Sat, Jul 4, 2009 at 12:59 PM, Peter Kastingpkast...@google.com wrote: On Sat, Jul 4, 2009 at 9:57 AM, Ian Fette i...@chromium.org wrote: There are a few people looking at doing this safely (including part of the team in Tokyo). There are ideas on how to do this in a reasonably safe manner and they are being explored. The security review is not in progress - previous status was Bad, there was work done to come up with ways to address said concerns, and now work is being done to try to implement those ideas - security review will happen again once those ideas are implemented. So did Mozilla just elect to ship Fx 3.5 with similar vulnerabilities, or are we vulnerable in ways they aren't, or are these not well-understood outside the Chromium community (which would surprise me)? I ask because @font-face support is one of the big talking points in the press for Fx 3.5. I assume that's the same feature. Many apologies to those you following this discussion on chromium-dev, but we can't answer this question publicly. Members of the Mozilla security group should feel free to contact me or Ian privately if you have similar questions. Adam --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---
[chromium-dev] Re: Full pass of acid3.
Woot! What's --enable-remote-fonts, and will it be on by default soon? Thanks dglazkov! PK On Jul 3, 2009 12:13 PM, Dimitri Glazkov dglaz...@google.com wrote: As of r19910 (and with --enable-remote-fonts flag), we now fully pass the acid3 test. Thanks to brettw for his patience and to pkasting for guilting me into fixing this the right way. :DG --~--~-~--~~~---~--~~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~--~~~~--~~--~--~---