250471 – font-face src format doesn't consume range when garbage follows url()

Bug 250471 - font-face src format doesn't consume range when garbage follows url()

Summary: font-face src format doesn't consume range when garbage follows url()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	BrowserCompat, InRadar, WPTImpact

Depends on:
Blocks:

Reported:	2023-01-11 12:34 PST by Vitor Roriz
Modified:	2023-01-13 06:24 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vitor Roriz 2023-01-11 12:34:31 PST

When webkit parses font-face src, if the component is a url, it first tries to parse a URL and then format().
It will just try to parse a second member after URL if such a member has a functionID equals CSSValueFormat.


This conflicts with the logic for parsing each component as comma delimited and the requirement that the src descriptor will only be valid if the whole range has been consumed by the end of its parsing.
This makes the following src descriptor in font-face to be invalidated, while it should be valid:
src: 'url("foo.ttf") dummy(xyzzy), url("bar.html")', valid: true }.

This is tested by the following wpt: https://wpt.fyi/results/css/css-fonts/parsing/font-face-src-format.html?label=experimental&label=master&aligned

Comment 1 Radar WebKit Bug Importer 2023-01-11 12:34:46 PST

<rdar://problem/104135235>

Comment 2 Vitor Roriz 2023-01-12 07:32:33 PST

Pull request: https://github.com/WebKit/WebKit/pull/8574

Comment 3 EWS 2023-01-13 06:24:03 PST

Committed 258870@main (ef82a019637b): <https://commits.webkit.org/258870@main>

Reviewed commits have been landed. Closing PR #8574 and removing active labels.