Well, using ligature to display ‘Google’ with slanted ‘e’ would be just fine. But why in the heavens would someone make a completely different set of characters “googlelogoligature” draw as “Google”? That’s just stupid.
Presumably they wanted to be able to include both "Google" the the Google logo on the same pages, and a font that can do both is a reasonable way to do that.
Creating the font was reasonable, it was the choice to use it outside of their own web pages, and especially to apply it to user controlled text, that was a bag call.
I don’t see this as anyhow reasonable still. This eg will break all the screen readers as well. If you really want to do this, use specialized font and a single unprintable Unicode character instead. Like font awesome does.
Reading out “google logo ligature” in a font reader seems more informative than skipping the logo entirely, which is what an unprintable unicode character would do.
I agree. I was not precise in my statement—what I wanted to say was that if for some reason they are trying to use it in place of picture, as a decoration (which I can’t really see why), then this would be the approach. Still, I think using ligature for the word Google is the right approach.
Realistically wouldn't that mean having two versions of the font, one with the ligature and one without? Perhaps they do have two versions and some developer just used the wrong one at some point. Seems like it would be an easy mistake to make.
Jeffrey Yasskin recently pointed out an interesting security bug:
The idea is, if you had registered
googlelogoligature.netthen Chrome on Android (and possibly other Google products) would have displayed it asGoogle.net, potentially tricking users into thinking they were really interacting with Google.To see how this worked, you can try searching Google for ["googlelogoligature"], and you'll see it shows up as "Google":
Poking in devtools, this is dependent on the specific font they're using, "Google Sans". If I turn that off my "googlelogoligature" shows just as I typed it:
Fonts can include "ligatures", which let font designers special-case specific combinations of letters. These were intended to support things like "f" followed by "i" blending into "fi" nicely, but the feature has been (ab)used for many other things, including complex emoji. In this case, Google Sans has a specific way of drawing "googlelogoligature" that looks like a mildly stylized "Google".
Using a ligature to get the Google logo into text-only interfaces is a reasonable product decision, but it shouldn't have been added to a general-purpose font. And especially shouldn't have been added to a font used for rendering attacker-controlled text in security-sensitive contexts.
(When I first saw it I thought this might be an example of a unicode-driven vulnerability, but sadly not.)
Comment via: facebook, mastodon, bluesky