[ietf-types] Registration of media type application/font-woff

Chris Lilley <chris@w3.org> Thu, 18 November 2010 18:26 UTC

Return-Path: <chris@w3.org>
X-Original-To: ietf-types@core3.amsl.com
Delivered-To: ietf-types@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 5D69E3A688C for <ietf-types@core3.amsl.com>; Thu, 18 Nov 2010 10:26:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.599
X-Spam-Status: No, score=-11.599 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id QQi0+EWBGWAk for <ietf-types@core3.amsl.com>; Thu, 18 Nov 2010 10:26:53 -0800 (PST)
Received: from pechora2.lax.icann.org (pechora2.icann.org [IPv6:2620:0:2d0:1::37]) by core3.amsl.com (Postfix) with ESMTP id 869063A687D for <ietf-types@ietf.org>; Thu, 18 Nov 2010 10:26:52 -0800 (PST)
Received: from jay.w3.org (ssh.w3.org []) by pechora2.lax.icann.org (8.13.8/8.13.8) with ESMTP id oAIIRJ4q015627 for <ietf-types@iana.org>; Thu, 18 Nov 2010 10:27:39 -0800
Received: from localhost ([]) by jay.w3.org with esmtpa (Exim 4.69) (envelope-from <chris@w3.org>) id 1PJ9CY-000454-6A; Thu, 18 Nov 2010 13:27:18 -0500
Date: Thu, 18 Nov 2010 19:26:43 +0100
From: Chris Lilley <chris@w3.org>
X-Mailer: The Bat! (v3.95.6) Home
Organization: W3C
X-Priority: 3 (Normal)
Message-ID: <26911429.20101118192643@w3.org>
To: ietf-types@iana.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Greylist: Delayed for 00:23:46 by milter-greylist-4.0 (pechora2.lax.icann.org []); Thu, 18 Nov 2010 10:27:39 -0800 (PST)
Subject: [ietf-types] Registration of media type application/font-woff
X-BeenThere: ietf-types@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Chris Lilley <chris@w3.org>
List-Id: "Media \(MIME\) type review" <ietf-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf-types>, <mailto:ietf-types-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-types>
List-Post: <mailto:ietf-types@ietf.org>
List-Help: <mailto:ietf-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-types>, <mailto:ietf-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 18:26:54 -0000

Hello ietf-types,

This is a request to review the registration for Web Open Font Format
(WOFF), currently in W3C Last Call.

Type name:

Subtype name:


Required parameters:


Optional parameters:


Encoding considerations:


Security considerations:

    Fonts are interpreted data structures that represent collections
    of glyph outlines, metrics and layout information for various
    languages and writing systems. Currently, there are many
    standardized font data tables that allow an unspecified number of
    entries, and where existing, predefined data fields allow storage
    of binary data with variable length. There is a significant risk
    that the flexibility of font data structures may be exploited to
    hide malicious binary content disguised as a font data component.

    WOFF is based on the table-based SFNT (scalable font) format which
    is highly extensible and offers an opportunity to introduce
    additional data structures when needed. However, this same
    extensibility may present specific security concerns – the
    flexibility and ease of defining new data structures makes it easy
    for any arbitrary data to be added and hidden inside a font file.

    WOFF fonts may contain 'hints' for the alignment of graphical
    elements of the glyphs with the target display pixel grid, and
    depending on the font technology utilized in the creation of a
    font these hints may represent active code interpreted and
    executed by the font rasterizer. Even though they operate within
    the confines of the glyph outline conversion system and have no
    access outside the font rendering machinery, hint instructions can
    be, however, quite complex, and a maliciously designed complex
    font could cause undue resource consumption (e.g. memory or CPU
    cycles) on a machine interpreting it. Indeed, fonts are
    sufficiently complex that most if not all interpreters cannot be
    completely protected from malicious fonts without undue
    performance penalties.

    Widespread use of fonts as necessary component of visual content
    presentation warrants that a careful attention should be given to
    security considerations whenever a font is either embedded into an
    electronic document or transmitted alongside media content as a
    linked resource.

    WOFF uses gzip compression. The WOFF header contains the
    uncompressed length of each compressed table. Applications may
    therefore constrain the size of memory buffer allocated for
    decompression and may stop writing if a maliciously crafted WOFF
    file in fact contains more data than is indicated.

Interoperability considerations:

Published specification:

    This media type registration is extracted from the WOFF
    specification at W3C.

Applications that use this media type:

    WOFF is used by Web browsers, often in conjunction with HTML and CSS. 

Additional information:

    Magic number(s):
        The signature field in the WOFF header MUST contain the "magic
        number" 0x774F4646
    File extension(s):
    Macintosh file type code(s):
        (no code specified)
    Macintosh Universal Type Identifier code:
    Fragment Identifiers

Person & email address to contact for further information:

    Chris Lilley (www-font@w3.org).

Intended usage:


Restrictions on usage:


    The WOFF specification is a work product of the World Wide Web
    Consortium's WebFonts Working Group.

Change controller:

    The W3C has change control over this specification.

 Chris Lilley   Technical Director, Interaction Domain                 
 W3C Graphics Activity Lead, Fonts Activity Lead
 Co-Chair, W3C Hypertext CG
 Member, CSS, WebFonts, SVG Working Groups