The linked article on Unicode is far more interesting actually. I never really cared to think before how Unicode works, but reading the submission letter of beet emoji was the most interesting thing I've read this month so far.
jasonthorsness · 2h ago
It’s difficult (impossible?) to force a font on the web in a way that can’t be overridden by some users. This must have been a font designed for device-specific applications picked up for other use-cases? Or maybe they just didn’t care that the long tail of users might see the string “googlelogoligature” instead of the logo.
em-bee · 2h ago
any website that supplies its own fonts will work. the number of people that would override the fonts specified in a website is small.
void-pointer · 1h ago
Why didn’t google just use a Unicode private use code point like apple does with U+F8FF? ()
layer8 · 46m ago
Because that wouldn’t degrade gracefully with a different font.
odo1242 · 7m ago
I mean, “googlelogoligature” degrades just as gracefully as “undefined”, I would say
Gotta love that the patch isn't fixing the font, but adding a rule for domain names which contains a substring similar to the ligature name...
em-bee · 2h ago
fixing the font does not help those that downloaded the font and won't get the new version. it also does not prevent malicious code from replacing the font on your machine with a version that has the ligature.
in fact this could be a novel attack vector. replace fonts on victims devices to hide the true address of a website. the fix then would have to be to not display any ligatures at all in website addresses, which in my opinion would be a smart change.
toast0 · 1h ago
> fixing the font does not help those that downloaded the font and won't get the new version. it also does not prevent malicious code from replacing the font on your machine with a version that has the ligature.
Fixing the code doesn't help users that downloaded code and don't get the new version either.
Malicious code that can replace a font can replace a lot more too.
em-bee · 40m ago
right, but a replacing a font is much easier than replacing a browser.
anal_reactor · 9m ago
I can imagine a group of excited guys coming up with that idea as something cool, and then the whole thing slowly evolving into a yet another branding tool.
jasonthorsness · 2h ago
And look, a working bug bounty program!
“$10,000 for report of high-quality && high-impact security UI issue + $5,000 bonus for unique, novel cool bug -- this was a very neat discovery!”
madeofpalk · 3h ago
Neat to see how impressed the Google team was at how novel this issue was.
bsimpson · 3h ago
I imagine the overlap between number of people who know about google_logo and that the Omnibar is set it Google Sans is quite small.
sjs382 · 2h ago
There are many others including "glogoligature".
sublinear · 2h ago
> Fonts can include "ligatures", which let font designers special-case specific combinations of letters ... but the feature has been (ab)used for many other things
Same reason to not use ligatures in your IDE, terminal, etc.
Did that trend finally die off?
nine_k · 2h ago
Ligatures that give slightly stylized rendering to stuff like <!-- or even replace a >= with a ≥ in your source code view are much less prone to exploitation than a "ligature" that replaces a 18-letter sequence with the word "Google" in your browser's address bar. It's like comparing the hazardousness levels of a safety pin and of a chainsaw.
jasonthorsness · 2h ago
My great fear is they will become so popular that the option to disable them will be forgotten. I can’t stand the ligatures that noticeably change and merge the glyphs.
wbl · 2h ago
Have you ever read a book typeset without them? Imagine a dot in fig where the loop of the f conflicts.
jasonthorsness · 1h ago
Those historical use cases are fine and important, the problem ones are the ones in monospace fonts that change <= to ≤ and that sort of thing, or even crazier abuses like shown here.
toast0 · 1h ago
I like the dotted i in fig, thank you. Not a big fan of underlines that don't cross descendeds either.
kstrauser · 2h ago
Fortunately, no. They’re increasingly well supported for the user base who think they look nice… like me.
I love the way my code looks in Berkeley Mono on any modern editor version. Seeing `>=` render similar to `≥` makes me smile. It’s a tiny visual tweak that doesn’t even cause anything to move on the screen, because that font’s ligatures are the same width as the characters they replace. I see no downside to it for me.
layer8 · 36m ago
Personally, I find an extra-wide “≥” more ugly and jarring than “>=“. If anything, I would prefer programming languages to understand the actual Unicode “≥”, and people learning how type that (Compose key, dedicated IDE support, or whatever). It would be nice for more people to appreciate that the characters one can type aren’t limited to the symbols printed on the keyboard.
kstrauser · 13m ago
Every editor and language I use is fine with Unicode in files, but I don’t know if that’s true for everyone I collaborate with. Sure, I can type all those symbols, but can they? Does a screen reader pronounce them reasonably? Do they render correctly in GitHub’s web source code viewers? Will I ever get as fast typing composed characters as just pressing `>=`? Does everyone use a font that supports those codepoints? I don’t know. Probably, but who can tell? I tend to limit non-ASCII text to inside quoted strings and use exclusively ASCII-compatible codes for all identifiers.
But the great part about ligatures is that I can use fonts that support them and enable them in my editors because I think they look pretty. Anyone who doesn’t like their appearance can just not use them. We can both have editors that look nice to ourselves without making the other’s editors look worse. How often can we say that?
stefan_ · 2h ago
I thought there was something wrong with this blog post that kept writing "googlelogoligature" but no some absolute cretin really added that as a ligature to the font.
(Which is to say that it doesn’t)
But ligature is indeed still visible on Google search.
Gotta love that the patch isn't fixing the font, but adding a rule for domain names which contains a substring similar to the ligature name...
in fact this could be a novel attack vector. replace fonts on victims devices to hide the true address of a website. the fix then would have to be to not display any ligatures at all in website addresses, which in my opinion would be a smart change.
Fixing the code doesn't help users that downloaded code and don't get the new version either.
Malicious code that can replace a font can replace a lot more too.
“$10,000 for report of high-quality && high-impact security UI issue + $5,000 bonus for unique, novel cool bug -- this was a very neat discovery!”
Same reason to not use ligatures in your IDE, terminal, etc.
Did that trend finally die off?
I love the way my code looks in Berkeley Mono on any modern editor version. Seeing `>=` render similar to `≥` makes me smile. It’s a tiny visual tweak that doesn’t even cause anything to move on the screen, because that font’s ligatures are the same width as the characters they replace. I see no downside to it for me.
But the great part about ligatures is that I can use fonts that support them and enable them in my editors because I think they look pretty. Anyone who doesn’t like their appearance can just not use them. We can both have editors that look nice to ourselves without making the other’s editors look worse. How often can we say that?