search

WICG / local-font-access

Web API for enumerating fonts on the local system
https://wicg.github.io/local-font-access
Apache License 2.0
75 stars 16 forks source link

SecureContext Reasoning? #6

Closed tolmasky closed 4 years ago

tolmasky commented 4 years ago

I was curious what the motivation was for restricting this feature to only Secure Contexts. If you are accessing local fonts then there shouldn't be any possibility of a man-in-the-middle attack right?

chasephillips commented 4 years ago

Hi @tolmasky , thank you for your questions!

Secure Contexts ensure that pages (and their ancestors) using powerful APIs are delivered and run over secure connections. This ensures that the API is only granted to authenticated origins.

By requiring a secure context for this API, the browser implementation will help to ensure that the user is interacting with only the intended origin for the web app and that their data is as secure as possible in transit.

chasephillips commented 4 years ago

I believe this issue has been addressed. The general discussion around security/privacy requirements is happening in https://github.com/inexorabletash/font-enumeration/issues/7. Closing, but feel free to follow-up here if something wasn't clear.