Closed
Bug 1451656
Opened 7 years ago
Closed 6 years ago
limit support for variation fonts to secure contexts
Categories
(Core :: Layout: Text and Fonts, enhancement)
Core
Layout: Text and Fonts
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: dbaron, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Keywords: dev-doc-needed)
I realize I missed this when reviewing bug 1447163, but per the policy described in https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/ support for variation fonts should be limited to secure contexts. I don't *think* this is implemented, although I might have missed this.
I think it's important that we stick to this policy uniformly for substantive new features, so I think this support should be limited to secure contexts. This includes making the feature detection points for the feature (new properties/values) detect as false in non-secure contexts.
Flags: needinfo?(jfkthame)
|
||
Comment 1•7 years ago
|
||
Hmmm.... yes, we've overlooked this so far. I wonder, though, if it's necessarily appropriate in this case. Are any other UAs implementing such a restriction? A brief local test suggests that both Edge and Chrome will happily use a variation font from a non-secure context.
While it's true that variation font support involves a couple of new CSS properties, it is largely an extension to existing properties/features; when support is enabled, variation fonts will respond differently to properties like font-weight. Restricting variation support to secure contexts will mean that the exact same page, using a variable font resource but with _no_ explicit use of variation-specific properties (and hence no obvious motive to do feature detection, etc) may render quite differently in secure vs non-secure contexts.
I don't have macOS 10.13 on hand for testing; Markus, could I ask you to see whether Safari on 10.13 restricts variation font support to secure contexts?
Flags: needinfo?(jfkthame) → needinfo?(mstange)
|
||
Updated•7 years ago
|
Keywords: dev-doc-needed
|
||
Comment 2•7 years ago
|
||
(In reply to Jonathan Kew (:jfkthame) from comment #1)
> I don't have macOS 10.13 on hand for testing; Markus, could I ask you to see
> whether Safari on 10.13 restricts variation font support to secure contexts?
It does not seem to restrict it. I rehosted https://jfkthame.github.io/variation-fonts/gingham.html at http://tests.themasta.com/gingham.html (just the html page and the font, not the screenshots at the bottom), and the two look identical in Safari 11.1 on macOS 10.13.4.
Flags: needinfo?(mstange)
|
|
||
Comment 3•7 years ago
|
||
OK, thanks for testing. So given that all the other major browsers are shipping this without a secure-context restriction, I think we should do the same.
:dbaron, are you OK with resolving this as WONTFIX, or do we need further discussion first?
Flags: needinfo?(dbaron)
|
||
Updated•7 years ago
|
Keywords: site-compat
|
|
||
Updated•7 years ago
|
Keywords: site-compat
|
|
||
Updated•7 years ago
|
status-firefox60:
--- → wontfix
|
||
Comment 4•6 years ago
|
||
WONTFIX given other browsers ship this without restriction. (Feel free to resolve other bugs similarly, ask me when in doubt.)
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(dbaron)
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•