Memory Safety for Web Fonts

Dominik Röttsches Rod Sheeter Chad Brokaw Skrifa is written in Rust, and created as a replacement for FreeType to make font processing in Chrome secure for all our users. Skifra takes advantage of Rust's memory safety, and lets us iterate faster on font technology improvements in Chrome. Moving from FreeType to Skrifa allows us to be both agile and fearless when making changes to our font code. We now spend far less time fixing security bugs, resulting in faster updates, and better code quality. This post shares why Chrome has moved away from FreeType, and some interesting technical details of the improvements this move has enabled. Why replace FreeType? The web is unique in that it allows users to fetch untrusted resources from a wide variety of untrusted sources with the expectation that things will just work, and that they are safe in doing so. This assumption is generally correct, but keeping that promise to users comes at a cost. For example, to use a web font safely (a font d ... Read full article.