| Summary: | font-face src format doesn't consume range when garbage follows url() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Vitor Roriz <vitor.roriz> |
| Component: | CSS | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | karlcow, mmaxfield, webkit-bug-importer |
| Priority: | P2 | Keywords: | BrowserCompat, InRadar, WPTImpact |
| Version: | Other | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Pull request: https://github.com/WebKit/WebKit/pull/8574 Committed 258870@main (ef82a019637b): <https://commits.webkit.org/258870@main> Reviewed commits have been landed. Closing PR #8574 and removing active labels. |
When webkit parses font-face src, if the component is a url, it first tries to parse a URL and then format(). It will just try to parse a second member after URL if such a member has a functionID equals CSSValueFormat. This conflicts with the logic for parsing each component as comma delimited and the requirement that the src descriptor will only be valid if the whole range has been consumed by the end of its parsing. This makes the following src descriptor in font-face to be invalidated, while it should be valid: src: 'url("foo.ttf") dummy(xyzzy), url("bar.html")', valid: true }. This is tested by the following wpt: https://wpt.fyi/results/css/css-fonts/parsing/font-face-src-format.html?label=experimental&label=master&aligned