[ietf-types] Registration of media type application/font-woff
Chris Lilley <chris@w3.org> Thu, 18 November 2010 18:26 UTC
Return-Path: <chris@w3.org>
X-Original-To: ietf-types@core3.amsl.com
Delivered-To: ietf-types@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D69E3A688C for <ietf-types@core3.amsl.com>; Thu, 18 Nov 2010 10:26:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.599
X-Spam-Level:
X-Spam-Status: No, score=-11.599 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQi0+EWBGWAk for <ietf-types@core3.amsl.com>; Thu, 18 Nov 2010 10:26:53 -0800 (PST)
Received: from pechora2.lax.icann.org (pechora2.icann.org [IPv6:2620:0:2d0:1::37]) by core3.amsl.com (Postfix) with ESMTP id 869063A687D for <ietf-types@ietf.org>; Thu, 18 Nov 2010 10:26:52 -0800 (PST)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by pechora2.lax.icann.org (8.13.8/8.13.8) with ESMTP id oAIIRJ4q015627 for <ietf-types@iana.org>; Thu, 18 Nov 2010 10:27:39 -0800
Received: from localhost ([127.0.0.1]) by jay.w3.org with esmtpa (Exim 4.69) (envelope-from <chris@w3.org>) id 1PJ9CY-000454-6A; Thu, 18 Nov 2010 13:27:18 -0500
Date: Thu, 18 Nov 2010 19:26:43 +0100
From: Chris Lilley <chris@w3.org>
X-Mailer: The Bat! (v3.95.6) Home
Organization: W3C
X-Priority: 3 (Normal)
Message-ID: <26911429.20101118192643@w3.org>
To: ietf-types@iana.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Greylist: Delayed for 00:23:46 by milter-greylist-4.0 (pechora2.lax.icann.org [208.77.188.37]); Thu, 18 Nov 2010 10:27:39 -0800 (PST)
Subject: [ietf-types] Registration of media type application/font-woff
X-BeenThere: ietf-types@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Chris Lilley <chris@w3.org>
List-Id: "Media \(MIME\) type review" <ietf-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf-types>, <mailto:ietf-types-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-types>
List-Post: <mailto:ietf-types@ietf.org>
List-Help: <mailto:ietf-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-types>, <mailto:ietf-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 18:26:54 -0000
Hello ietf-types, This is a request to review the registration for Web Open Font Format (WOFF), currently in W3C Last Call. Type name: application Subtype name: font-woff Required parameters: None. Optional parameters: None. Encoding considerations: binary. Security considerations: Fonts are interpreted data structures that represent collections of glyph outlines, metrics and layout information for various languages and writing systems. Currently, there are many standardized font data tables that allow an unspecified number of entries, and where existing, predefined data fields allow storage of binary data with variable length. There is a significant risk that the flexibility of font data structures may be exploited to hide malicious binary content disguised as a font data component. WOFF is based on the table-based SFNT (scalable font) format which is highly extensible and offers an opportunity to introduce additional data structures when needed. However, this same extensibility may present specific security concerns – the flexibility and ease of defining new data structures makes it easy for any arbitrary data to be added and hidden inside a font file. WOFF fonts may contain 'hints' for the alignment of graphical elements of the glyphs with the target display pixel grid, and depending on the font technology utilized in the creation of a font these hints may represent active code interpreted and executed by the font rasterizer. Even though they operate within the confines of the glyph outline conversion system and have no access outside the font rendering machinery, hint instructions can be, however, quite complex, and a maliciously designed complex font could cause undue resource consumption (e.g. memory or CPU cycles) on a machine interpreting it. Indeed, fonts are sufficiently complex that most if not all interpreters cannot be completely protected from malicious fonts without undue performance penalties. Widespread use of fonts as necessary component of visual content presentation warrants that a careful attention should be given to security considerations whenever a font is either embedded into an electronic document or transmitted alongside media content as a linked resource. WOFF uses gzip compression. The WOFF header contains the uncompressed length of each compressed table. Applications may therefore constrain the size of memory buffer allocated for decompression and may stop writing if a maliciously crafted WOFF file in fact contains more data than is indicated. Interoperability considerations: Published specification: This media type registration is extracted from the WOFF specification at W3C. http://www.w3.org/TR/WOFF/ Applications that use this media type: WOFF is used by Web browsers, often in conjunction with HTML and CSS. Additional information: Magic number(s): The signature field in the WOFF header MUST contain the "magic number" 0x774F4646 File extension(s): woff Macintosh file type code(s): (no code specified) Macintosh Universal Type Identifier code: org.w3c.woff Fragment Identifiers none. Person & email address to contact for further information: Chris Lilley (www-font@w3.org) Intended usage: COMMON Restrictions on usage: None Author: The WOFF specification is a work product of the World Wide Web Consortium's WebFonts Working Group. Change controller: The W3C has change control over this specification. -- Chris Lilley Technical Director, Interaction Domain W3C Graphics Activity Lead, Fonts Activity Lead Co-Chair, W3C Hypertext CG Member, CSS, WebFonts, SVG Working Groups
- [ietf-types] Registration of media type applicati… Chris Lilley