Everyone's gangsta until common text shaping engine allows Wasm in font files.

Wait... https://mastodon.social/@schizanon/...

huh? why in the world would you want something like that?

@thebiochemic to generalize kerning

@thebiochemic well it exists now I guess regardless

So you’re saying, instead of sneaking payloads in with jpeg & other containers, I can just embed it in a font?
Sounds like it’s time to update the inspections for disassembling fonts.

> It's only a matter of time until someone embeds a cryptominer in a font file.

Sure someone might do it, buts it's useless without network access

@devRancid Hm, author of that post is known to overestimate the effects... If it's programming in fonts, I suppose API provided is very limited. I'm yet to find out what it's supposed to operate on that variable fonts can't do.

Web assembly is very sandboxed. In fact you CAN'T even access files or anything of value since those APIs aren't even standardized yet lol

I don't really see how this is a big problem apart from the insane over engineering just to layout a damn font

@devRancid @12bitfloat @vintprox Unfortunately, since Spectre came about, any language that's fast enough is an attack vector. Yes you need an exfil path, but you can time the script by defining something in CSS that has a background image and is only visible once the font is correctly laid out, or something of that nature, so exfil really isn't as difficult as it sounds when your information is presented as render delay.

there was a trick in JS, widely publicized recently, to improve the low-res clock to the point where it can be used for cache timing attacks.