css - Hosted web fonts, CDN's, @font-face, and privacy -

if use hosted fonts on cdn, @font-face, or service typekit, possible host read characters being rendered font in pages (and therefore read content of pages)?

if so, seems significant privacy issue.

any expertise or recommended reading on topic?

web fonts stored monolithic files (woff, otf, eot or svg) must fetched browser in entirety display character in them. it's not possible detect usage of single characters.

there potential privacy leak in web font embedding it's more subtle that, , unlikely exploitable anything.

it occurs when using web font fallback font, example:

@font-face { font-family: "one"; src: url(http://themes.googleusercontent.com/static/fonts/overlock/v2/pr-80_x4sioocpxz2vxc5feszw2xoq-xsnqo47m55da.woff) format('woff'); } @font-face { font-family: "two"; src: url(http://themes.googleusercontent.com/static/fonts/overlock/v2/ecjpf2hw5gsz4m16yldg84bn6udyhwbl620a-irfubk.woff) format('woff'); } p { font-family: "one", "two", sans-serif; } 

in example, if there latin characters in <p> element, browser might choose fetch woff file font "one". if there other characters not present in "one" font, browser have fetch second file well, in order glyph character in "two". external party able know 1 or more characters not present in "one" had been used on page.

i wouldn't worry it. it's imo unlikely you'd use embedded fallback font (other deliberately, in attempt optimise common characters , have extended version of same font unusual characters have been used).

it doesn't happen on browsers anyway. chrome this; firefox fetches every embedded font included in font-family list used element in document.