securitytypekit

Does typekit pose a security risk?


I'm currently doing front-end development for an insurance companies client portal and one of their developers is concerned about using typekit for security reasons. Does anyone know if there is a legitimate risk in using typekit on secure sites? Also, if anyone has some documentation on this that I could send to this developer that would be really helpful, I (surprisingly) wasn't able to find anything on the typekit site that would put his mind at ease.

Thanks!


Solution

  • There are different ways of including Typekit fonts. When you host your own CSS with @font-face rules pointing at font files on Typekit servers that's generally fine.

    In this case Typekit will receive the URL of the page the user is browsing as a referrer, but there should not in general be sensitive information in the URL so that should be OK. (That may not be true if you have something like a reset password link - if you do, take care to ensure such URLs can only be accessed once so the ID in the link is worthless afterwards.)

    However there is a variant where you include a script tag pointing at them:

    <script type="text/javascript" src="https://use.typekit.com/some_id.js"></script>
    

    This is a bad idea if your site does anything sensitive, because it gives typekit complete control over everything a user does on your site. If they went evil (or were compromised), they could steal any passwords typed on your site, delete all the user's data on the site, redirect the user to browser exploits, and so on.

    In general you should never include remote scripts or stylesheets from anyone you don't 100% trust with the security of your site.