Why are we doing this? This, specifically, was what made Flash so dangerous.
posted by mhoye at 4:46 AM on July 3 [17 favorites]

I look forward to Font Friday games.
posted by mittens at 4:49 AM on July 3 [5 favorites]

But can it run Doom?
posted by Major Clanger at 5:24 AM on July 3

I mean, Flash was also owned, designed, and maintained by one company. WebAssembly is at least theoretically an open standard.
posted by jy4m at 5:54 AM on July 3

It's not necessarily WebAssembly that's the problem, it's incorporating it into a font renderer. A lot of users might be wary of downloading an executable but think nothing of downloading and installing a font.
posted by mrgoldenbrown at 6:17 AM on July 3 [5 favorites]

I mean, they are rebuilding the site's backend.
posted by adamrice at 6:18 AM on July 3 [2 favorites]

as I understand it wasm in the browser is executed in the same sort of sandbox that javascript is, so either it's safe or javascript isn't safe either
posted by BungaDunga at 6:21 AM on July 3 [1 favorite]

Looking forwards to the Comic Sans virus.
posted by CynicalKnight at 6:31 AM on July 3 [3 favorites]

> as I understand it wasm in the browser is executed in the same sort of sandbox that javascript is, so either it's safe or javascript isn't safe either

HarfBuzz isn't just a web tech, and neither is WASM.

A font containing an turning complete sublanguage opens up a whole pile of problems. From a software developers perspective, taking a string of text and turning it into glyphs should be a near-O(n) operation that doesn't require extensive hardening to prevent leaks of user secrets.

And javascript in the browser managed to leak user secrets by exploiting hardware cache impact on timing. Hardening the sandboxes against such attacks required the hardware to get patched and extensive work on the VMs that ran the javascript.

As someone who just wants to render text, we have no interest in maintaining an up to date secure environment to run a VM in, and by adding WASM support to the font every single font we run is now a possible dangerous payload that requires hardening the application's font engine and keeping up with 0-day exploits.

It is easy to make script or a description of something Turing-complete; it takes work to avoid it. Doing so is evil if you don't have a good reason to do so, and you should reject technology stacks that add Turing-complete sub-systems without an extremely good reason to do so.

Fonts are already bad enough with ligature based computing - adding more power makes them worse, not better.
posted by NotAYakk at 6:36 AM on July 3 [8 favorites]

Yeahhh...no. This lands firmly in the "just because we can, doesn't mean we should" box.
posted by Thorzdad at 7:23 AM on July 3

The attack surface of WASM in fonts is just insane. You can sandbox all you want and still have your computer slow to a crawl because of poorly implemented or malicious WASM. Most people/protocols are used to fonts being hosted somewhere other than the originating site, which means one compromise can effect a big slice of the web. But most importantly: you can turn off or interrupt javascript on a page. Do you know how to do that for WASM hinting? Does your browser even have a mechanism for disabling it? Probably not!
posted by phooky at 7:30 AM on July 3 [2 favorites]

Fonts cannot be held responsible for any of their acts while performing their official duty of displaying characters on the screen.
posted by njohnson23 at 7:38 AM on July 3 [2 favorites]

Looking forwards to the Comic Sans virus.

Comic Sans already is a virus.
posted by JoeZydeco at 7:41 AM on July 3

This is stupid. Finite state machines for glyph composition may be complicated as hell to generate, but they are guaranteed to finish running in simple time. Unlike anything Turing-complete. My god this is stupid. Gaahhh.

It feels like Postscript all over again. Oh sure, let me send a page to my printer and forty five minutes later it spits out a Mandelbrot set. Very useful. No. No it isn't. Stop this.
posted by seanmpuckett at 7:43 AM on July 3 [4 favorites]

Dibs on a bitcoin-mining font ...
posted by JustSayNoDawg at 7:44 AM on July 3 [3 favorites]

In a less panicky mode-- this is an extension which has to explicitly be enabled at build time. Is there any browser or other tool currently planning to ship with font WASM/js turned on? (I'm sure there will be plenty of "oops turned on WASM" incidents in the future, but I'm guessing anyone shipping anything that even smells like infrastructure would never switch this on.)
posted by phooky at 8:04 AM on July 3

OpenType already has incredibly complex rules for handling ligatures and initial/medial/terminal forms: features that typography in English barely uses, but other languages require. Remember that "Commas in big numbers everywhere: An OpenType adventure" article that provided a font that inserted commas or spaces inside long runs of digits? That uses a basic OpenType feature required for Arabic typography. Looking at the documentation for OpenType's Glyph Substitution (GSUB) it looks like it's already well on its way to full sentience, let alone Turing-completeness.

Remember that Harfbuzz looks at solving the problems of text layout from the point of view of Persian. English page layout is basically potato-printing compared to Persian. This Turing-complete renderer might be able to provide practical micro-justification, where character glyphs are modified on the fly depending on several contexts to give fully justified text with perfectly even visual spacing.

While this does introduce some security issues, it does enable previously unimaginable display effects. Maybe being able to trust just any old font from the web is over-rated anyway. Without programmability, all of our electronic devices become passive viewers, displaying only adverts from the masters to the grateful populace.
posted by scruss at 10:29 AM on July 3 [1 favorite]

taps sign:
A TYPEFACE CAN NEVER BE HELD ACCOUNTABLE
THEREFORE A TYPEFACE MUST NEVER
MAKE A MANAGEMENT DECISION
posted by k3ninho at 10:43 AM on July 3 [3 favorites]

Bringing in a comment here from a former colleague at Mozilla who's still there working on compilers, repudiating my above position:

"The ability to do this kind of thing safely is Wasm's raison d'être. Unlike Flash, Wasm is built from the ground up with security as a top priority, so there are simple, efficient ways to implement a Wasm sandbox. Code inside the sandbox is structurally prevented from accessing memory outside the sandbox.

I can't speak to the value of user-defined shaping, but if you're going to support it at all, this is exactly how it should be done."

That makes me feel a lot better actually.
posted by mhoye at 10:49 AM on July 3 [3 favorites]

Neat that, if I understand correctly, you can go back and type new moves halfway through the history of a game and see the future result shift.
posted by lucidium at 11:24 AM on July 3

seanmpuckett > This is stupid. Finite state machines for glyph composition may be complicated as hell to generate, but they are guaranteed to finish running in simple time. Unlike anything Turing-complete. My god this is stupid. Gaahhh.
It feels like Postscript all over again. Oh sure, let me send a page to my printer and forty five minutes later it spits out a Mandelbrot set. Very useful. No. No it isn't. Stop this.

I swear nobody but NOBODY anymore gets the idea of "make things as simple as possible, but no simpler" and either ignores that the concept of "unnecessary or useless features" even exists, or does their level best to simplify something useful into uselessness, or even manages both at the same time.
I say while staring intently at the last several versions of Windows, a few Linux distros, and at least half of all "enterprise" software I ever interacted withl.
posted by Enturbulated at 11:55 PM on July 4 [1 favorite]