Closed Bug 1617602 Opened 5 years ago Closed 5 years ago

@font-face with src:local() should not be able to look up hidden system fonts

Categories

(Core :: Layout: Text and Fonts, defect, P3)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox75 --- fixed

People

(Reporter: jfkthame, Assigned: jfkthame)

Details

Attachments

(1 file)

Bug 1617602 - Don't allow src:local() to look up hidden system font names. r=heycam
47 bytes, text/x-phabricator-request
Details | Review

On macOS, there are a number of fonts that have dot-prefixed family names such as ".Keyboard", ".LastResort", in addition to the ".SF NS" system font family. These fonts are used internally by the OS for particular purposes (including to satisfy requests for "the system font") but are not supposed to be directly exposed to users as named fonts.

We exclude these from being used directly in the font-family property, so that

data:text/html,<div style="font-family: '.SF NS', Times">foo bar

will (correctly, IMO) use Times, although

data:text/html,<div style="font-family: -apple-system, Times">foo bar

uses the system font family that (currently, as of macOS 10.15) is internally called ".SF NS".

However, we inadvertently still allow these fonts to be accessed by name using @font-face { src: local(...) }, which I consider[1] a bug. So

data:text/html,<style>@font-face{font-family:foo;src:local(".LastResort")}</style><div style="font-family: foo, Times">foo bar

shows a run of LastResort glyphs, which I don't think should be allowed, given that we don't do it for

data:text/html,<div style="font-family: '.LastResort', Times">foo bar

[1] Note that while Chrome partially[2] agrees with our behavior whereby these hidden system fonts are not accessible by name from CSS, Safari currently disagrees: dot-prefixed font names do work in font-family and in src:local() in Safari. I think that is inappropriate, given that such fonts are not exposed in typical application UI (font menus, etc), but I guess this is a platform integration issue for which there isn't any real spec. CSS Fonts talks about "available installed fonts", but doesn't define precisely what that means.

[2] I was going to just say that Chrome agrees, but further testing indicates it is inconsistent. font-family: ".SF NS" doesn't match, but font-family: ".LastResort" does. But it doesn't work in src:local(). I don't know what they're thinking...

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bcc32206ae4c Don't allow src:local() to look up hidden system font names. r=heycam

https://hg.mozilla.org/mozilla-central/rev/bcc32206ae4c

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: