Comments (9)
+1
from fonts.
ð
from fonts.
ð
from fonts.
Switching the recommended URL from http://
to https://
should be a no-brainer.
Turning on HSTS and preloading the domain, whether or not a redirect is in place, should be problem-free.
As for turning on the HTTP->HTTPS redirect, my experience from testing HTTP->HTTPS redirects was that <script>
tags are completely unaffected by 301 redirects from HTTP to HTTPS, even as far back as IE6.
If Google Fonts currently observes significant CORS usage from Safari and Android browsers, that might be a hindrance to forcing a redirect. However, CORS doesn't seem to be a formally or universally supported feature for Google Fonts, and so this issue may be moot.
In short, HSTS and preloading will improve the safety and privacy of a great number of people right away. If there's no significant CORS usage, then a forced redirect should, to the best of my knowledge and research, also work without breaking Google Fonts for clients.
from fonts.
ð
from fonts.
+1
from fonts.
Google Fonts supports both HTTP and HTTPS, thus allowing the integration (or browser, when using protocol-relative URLs) the method of choice.
There are interesting trade-offs (which will vary by integration) either way, such as the latency savings from intermediate caches in-between with HTTP.
A forced HTTPS and/or redirect would adversely affect the latency of existing integrations, esp. ones which benefit tremendously from an intermediate caching of the fonts.
from fonts.
A forced HTTPS and/or redirect would adversely affect the latency of existing integrations, esp. ones which benefit tremendously from an intermediate caching of the fonts.
Yet allowing Google Fonts to be served over HTTP allows Google Fonts to be modified, hijacked, or otherwise weaponized by network owners. It's because Baidu Analytics allows plain HTTP use of its analytics snippet, for example, that allowed it to be so easily weaponized by China's Great Cannon during the recent DDoS of GitHub. This is separate from other, less martial, attacks on unencrypted traffic by domestic ISPs in the US.
Google Fonts has immense reach on the web today, and fonts.googleapis.com
makes a highly attractive target on any given network. Choosing security and privacy, both for yourself and on behalf of your users, is a tradeoff whose value has become much more clear to many more popular services over the last year or so -- especially at Google.
I strongly urge you to reconsider, and to make the security of individual end users of Google Fonts a top priority. As it stands, Google Fonts is catering to the desires of integrators, and allowing them to make the wrong choice -- a choice that effects millions of people who have no way of noticing what's happening or expressing an opinion on the matter.
from fonts.
I would also observe that the latency impact is likely to be negative, at least for modern browsers that support HTTP/2. With HTTP/2 connection re-use, new HTTPS transactions will re-use an existing TLS connection. And most of the world already has a TLS connection to Google. So not only will you not be incurring an additional TLS handshake, you'll be saving a TCP handshake and slow start.
Have you actually done the experiment to see the latency impact? Given the above, I would suggest giving it a try before concluding that HTTPS causes a latency hit.
from fonts.
Related Issues (20)
- Add Argpal Script Font from Omniglot HOT 1
- Update JetBrains Mono
- Update Noto Sans Hebrew to v3 HOT 7
- Thai font named `Anuphan` has ( ' ) tone marks in wrong place when combined with this vowel symbol ( āļģ ) HOT 2
- Add [Styrene] HOT 1
- Add "New Amsterdam" HOT 8
- Add "Pudding" HOT 4
- Add "Flosser" HOT 2
- Add "Consequences" HOT 1
- Add "Smashed"
- Add "Angelica" HOT 1
- Add "Soccer League" HOT 1
- Add "Maniac" HOT 2
- Add Jupiter Pro Bold HOT 7
- Pridi font: broken latin-text glyphs in some circumstances HOT 6
- Request to add Turkish language support to "Days One"
- User request to disable automatic ligatures on Space Mono HOT 3
- Google Fonts Website is missing Noto Serif Dives Akuru and Noto Serif Hentaigana HOT 2
- Update Noto Sans Syriac (Syriac Supplement Block)
- Update All Noto Arabic Fonts (Arabic Extended-B Block, U+8B5, U+8C8, & Arabic Extended-C Block) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
ð Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ððð
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google âĪïļ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fonts.