It’s difficult (impossible?) to force a font on the web in a way that can’t be overridden by some users. This must have been a font designed for device-specific applications picked up for other use-cases? Or maybe they just didn’t care that the long tail of users might see the string “googlelogoligature” instead of the logo.
fixing the font does not help those that downloaded the font and won't get the new version. it also does not prevent malicious code from replacing the font on your machine with a version that has the ligature.
in fact this could be a novel attack vector. replace fonts on victims devices to hide the true address of a website. the fix then would have to be to not display any ligatures at all in website addresses, which in my opinion would be a smart change.
> fixing the font does not help those that downloaded the font and won't get the new version. it also does not prevent malicious code from replacing the font on your machine with a version that has the ligature.
Fixing the code doesn't help users that downloaded code and don't get the new version either.
Malicious code that can replace a font can replace a lot more too.
I thought there was something wrong with this blog post that kept writing "googlelogoligature" but no some absolute cretin really added that as a ligature to the font.
> Fonts can include "ligatures", which let font designers special-case specific combinations of letters ... but the feature has been (ab)used for many other things
Same reason to not use ligatures in your IDE, terminal, etc.
Ligatures that give slightly stylized rendering to stuff like <!-- or even replace a >= with a ≥ in your source code view are much less prone to exploitation than a "ligature" that replaces a 18-letter sequence with the word "Google" in your browser's address bar. It's like comparing the hazardousness levels of a safety pin and of a chainsaw.
My great fear is they will become so popular that the option to disable them will be forgotten. I can’t stand the ligatures that noticeably change and merge the glyphs.
Those historical use cases are fine and important, the problem ones are the ones in monospace fonts that change <= to ≤ and that sort of thing, or even crazier abuses like shown here.
Fortunately, no. They’re increasingly well supported for the user base who think they look nice… like me.
I love the way my code looks in Berkeley Mono on any modern editor version. Seeing `>=` render similar to `≥` makes me smile. It’s a tiny visual tweak that doesn’t even cause anything to move on the screen, because that font’s ligatures are the same width as the characters they replace. I see no downside to it for me.
Personally, I find an extra-wide “≥” more ugly and jarring than “>=“. If anything, I would prefer programming languages to understand the actual Unicode “≥”, and people learning how type that (Compose key, dedicated IDE support, or whatever). It would be nice for more people to appreciate that the characters one can type aren’t limited to the symbols printed on the keyboard.
It’s difficult (impossible?) to force a font on the web in a way that can’t be overridden by some users. This must have been a font designed for device-specific applications picked up for other use-cases? Or maybe they just didn’t care that the long tail of users might see the string “googlelogoligature” instead of the logo.
any website that supplies its own fonts will work. the number of people that would override the fonts specified in a website is small.
Why didn’t google just use a Unicode private use code point like apple does with U+F8FF? ()
Because that wouldn’t degrade gracefully with a different font.
Wow it still works.
The issue has been fixed on Chrome: https://issues.chromium.org/issues/391788835
But ligature is indeed still visible on Google search.
https://chromium-review.googlesource.com/c/chromium/src/+/62...
Gotta love that the patch isn't fixing the font, but adding a rule for domain names which contains a substring similar to the ligature name...
fixing the font does not help those that downloaded the font and won't get the new version. it also does not prevent malicious code from replacing the font on your machine with a version that has the ligature.
in fact this could be a novel attack vector. replace fonts on victims devices to hide the true address of a website. the fix then would have to be to not display any ligatures at all in website addresses, which in my opinion would be a smart change.
> fixing the font does not help those that downloaded the font and won't get the new version. it also does not prevent malicious code from replacing the font on your machine with a version that has the ligature.
Fixing the code doesn't help users that downloaded code and don't get the new version either.
Malicious code that can replace a font can replace a lot more too.
right, but a replacing a font is much easier than replacing a browser.
Neat to see how impressed the Google team was at how novel this issue was.
I imagine the overlap between number of people who know about google_logo and that the Omnibar is set it Google Sans is quite small.
And look, a working bug bounty program!
“$10,000 for report of high-quality && high-impact security UI issue + $5,000 bonus for unique, novel cool bug -- this was a very neat discovery!”
There are many others including "glogoligature".
I thought there was something wrong with this blog post that kept writing "googlelogoligature" but no some absolute cretin really added that as a ligature to the font.
> Fonts can include "ligatures", which let font designers special-case specific combinations of letters ... but the feature has been (ab)used for many other things
Same reason to not use ligatures in your IDE, terminal, etc.
Did that trend finally die off?
Ligatures that give slightly stylized rendering to stuff like <!-- or even replace a >= with a ≥ in your source code view are much less prone to exploitation than a "ligature" that replaces a 18-letter sequence with the word "Google" in your browser's address bar. It's like comparing the hazardousness levels of a safety pin and of a chainsaw.
My great fear is they will become so popular that the option to disable them will be forgotten. I can’t stand the ligatures that noticeably change and merge the glyphs.
Have you ever read a book typeset without them? Imagine a dot in fig where the loop of the f conflicts.
I like the dotted i in fig, thank you. Not a big fan of underlines that don't cross descendeds either.
Those historical use cases are fine and important, the problem ones are the ones in monospace fonts that change <= to ≤ and that sort of thing, or even crazier abuses like shown here.
Fortunately, no. They’re increasingly well supported for the user base who think they look nice… like me.
I love the way my code looks in Berkeley Mono on any modern editor version. Seeing `>=` render similar to `≥` makes me smile. It’s a tiny visual tweak that doesn’t even cause anything to move on the screen, because that font’s ligatures are the same width as the characters they replace. I see no downside to it for me.
Personally, I find an extra-wide “≥” more ugly and jarring than “>=“. If anything, I would prefer programming languages to understand the actual Unicode “≥”, and people learning how type that (Compose key, dedicated IDE support, or whatever). It would be nice for more people to appreciate that the characters one can type aren’t limited to the symbols printed on the keyboard.