[websec] Font sniffing

"Anne van Kesteren" <annevk@opera.com> Tue, 25 January 2011 12:13 UTC

Return-Path: <annevk@opera.com>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0597C3A6B9A for <websec@core3.amsl.com>; Tue, 25 Jan 2011 04:13:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.132
X-Spam-Level:
X-Spam-Status: No, score=-6.132 tagged_above=-999 required=5 tests=[AWL=-1.392, BAYES_20=-0.74, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdBGtd9HZ4mD for <websec@core3.amsl.com>; Tue, 25 Jan 2011 04:13:25 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id BB57A3A685D for <websec@ietf.org>; Tue, 25 Jan 2011 04:13:24 -0800 (PST)
Received: from anne-van-kesterens-macbook-pro.local (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p0PCGKOK012104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <websec@ietf.org>; Tue, 25 Jan 2011 12:16:21 GMT
Content-Type: text/plain; charset="utf-8"; format="flowed"; delsp="yes"
To: websec <websec@ietf.org>
Date: Tue, 25 Jan 2011 13:16:20 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Anne van Kesteren <annevk@opera.com>
Organization: Opera Software
Message-ID: <op.vpu5phad64w2qv@anne-van-kesterens-macbook-pro.local>
User-Agent: Opera Mail/11.00 (MacIntel)
X-Scanned-By: MIMEDefang 2.64 on 213.236.208.81
Subject: [websec] Font sniffing
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2011 12:13:26 -0000

Due to nobody taking specifying media types, Content-Type for fonts is a  
lost cause. They probably need a loading context similar to images which  
the @font-face specification should use at some point.

Here are the signatures that Opera handles:

   0x74746366 'ttcf' (TTC; TrueType Collection)
   0x4F54544F 'OTTO' (OTF; OpenType)
   0x00010000        (TTF; TrueType)
   0x774F4646 'wOFF' (WOFF; Web Open Font Format)

For WOFF application/font-woff is being registered it seems, but nobody  
enforces that to my knowledge. I.e. user agents sniff.


In case it was unclear this is feedback on  
http://tools.ietf.org/html/draft-ietf-websec-mime-sniff :-)


-- 
Anne van Kesteren
http://annevankesteren.nl/