Github font icons

Published May 20, 2012

Recently Github changed some of their icons to font characters. Yes, read that twice. It's an interesting idea and while it demonstrates an admirable amount of 'because I can', there's a small matter of using the right tool for the job. It's a bad idea to allow websites to set custom fonts, because font rendering goes back a long way and pre-dates the rich web experience we have now. Recently there was a big security issue in Windows due to a bug in its font parser, which happens in, yep, you guessed it, the kernel. It might seem stupid to handle font parsing in the kernel but it turns out that other OSes do or at some point have done this too (yep, including X11 as root), because font rendering as a whole needs to be fast (although parsing not so much).

And historically it wasn't that big of an issue because fonts were all local and if you had someone inserting malicious files onto your machine then you had other problems. When many font parsers were originally written, they weren't really intended to deal with malicious input because the infrastructure for using them as an attack vector didn't yet exist.

It's for a very good reason that NoScript blocks remote fonts.

Unfortunately, it makes navigating GitHub a bit difficult. And it's not like their fonts are any better than their icons anyway. They look a bit odd, and they'll inevitably render inconsistently across platforms and browsers. Or, as on mine, not at all.