5

So at face value, this makes sense -- if IE disables "font download," it shouldn't download, fine, I accept that.

HOWEVER -- what about using base64 fonts? These are embedded directly in CSS / do not reference a physical file, therefore no font should need to be downloaded, right?

At first I thought that maybe IE11 didn't like/support base64, but I can verify that it does work there when I use only a base64 font option.

I wasn't able to find any specs on this, or much info on the breadth of what "font download: disable" really means. I did see some similar posts but with no answers, and not asking the same question.

Anyone have a better explanation for this?

Lauren
  • 121
  • 1
  • 8
  • What is the actual question, though? Your title is not a question, that's literally how the font download setting for windows/IE works, and using "not a font" but a base64 string clearly works, as per your investigation, so are you simply asking if anyone knows whether there's documentation for this setting? If so, that's probably something you should ask on a windows forum, or maybe even superuser.com – Mike 'Pomax' Kamermans Mar 08 '16 at 01:25
  • Re-read the question, tho I understand if I lost you somewhere along the way -- base64 ITSELF works in IE11, but NOT with font download disabled. If you're using base64, then technically you're not requiring a font download, right? So why would disabling "font download" prevent a base64 font? – Lauren Mar 08 '16 at 13:52
  • Changed the title to clarify base64 – Lauren Mar 08 '16 at 13:58
  • 1
    I suspect that "Font Download" does not refer to the act of downloading, but specifically to the act of downloading the file to disk and then loading a webfont into active memory. Even if you supply the resource as BASE64 string, the browser still needs to decode that data to a "file" for loading into active memory and then running. There have been vulnerabilities related to webfonts in the past, so as an Internet Options security setting, it doesn't make much sense to be exclusively about saving the font to disk. – Mike 'Pomax' Kamermans Mar 08 '16 at 16:58
  • As a question not really about anything programming related (it is a little, but it's mostly not) rather than stackoverflow, http://answers.microsoft.com/en-us/ie/forum?auth=1 is presumably a much better place to find out. Of course, if you want to ask there and when you have an answer, answer your own question here, I'm sure that'll help future visitors of the site, too. – Mike 'Pomax' Kamermans Mar 08 '16 at 16:59
  • Thank you for taking the time to respond, much appreciated! I upvoted your comment explaining the sequence of events, that makes sense / helped me understand. I found a resource for the base64 spec that touches on security, posting as an answer. Thanks again! – Lauren Mar 08 '16 at 20:18

1 Answers1

4

Per a memo on the base64 spec:

  1. Security

    Interpretation of the data within a "data" URL has the same security considerations as any implementation of the given media type. An application should not interpret the contents of a data URL which is marked with a media type that has been disallowed for processing by the application's configuration.

Sources: http://www.ietf.org/rfc/rfc2397.txt http://sosweetcreative.com/2613/font-face-and-base64-data-uri

Lauren
  • 121
  • 1
  • 8