Does typekit pose a security risk?

Question

I'm currently doing front-end development for an insurance companies client portal and one of their developers is concerned about using typekit for security reasons. Does anyone know if there is a legitimate risk in using typekit on secure sites? Also, if anyone has some documentation on this that I could send to this developer that would be really helpful, I (surprisingly) wasn't able to find anything on the typekit site that would put his mind at ease.

Thanks!

Answer 1

There are different ways of including Typekit fonts. When you host your own CSS with @font-face rules pointing at font files on Typekit servers that's generally fine.

In this case Typekit will receive the URL of the page the user is browsing as a referrer, but there should not in general be sensitive information in the URL so that should be OK. (That may not be true if you have something like a reset password link - if you do, take care to ensure such URLs can only be accessed once so the ID in the link is worthless afterwards.)

However there is a variant where you include a script tag pointing at them:

<script type="text/javascript" src="https://use.typekit.com/some_id.js"></script>

This is a bad idea if your site does anything sensitive, because it gives typekit complete control over everything a user does on your site. If they went evil (or were compromised), they could steal any passwords typed on your site, delete all the user's data on the site, redirect the user to browser exploits, and so on.

In general you should never include remote scripts or stylesheets from anyone you don't 100% trust with the security of your site.

Answer 2

Any time you embed content, whether it be JS, CSS, fonts or anything else, from an external source to a sensitive page, you're increasing your attack surface. This does not necessarily mean that there is, or will be, a specific attack, but it does create more potential ways in which your site could be compromised.

Indeed, there have been real-world attacks using web fonts even without JavaScript, both based on browser / OS bugs and simply based on interactions of deliberate browser features. The Firefox security extension NoScript blocks CSS @font-face by default for that reason.

If you want to use a custom font on your secure site, the safest way to do it is to host it yourself — either on the site itself, or, perhaps better yet, from a separate no-cookie domain which is under your control, but isolated from your main website content by browser same-origin policies.