Skip to content

GitLab

Closed (moved) (moved)
Created by Arthur Edelstein@arthuredelstein

font whitelist fails to stop local fonts in @font-face

In #13313 (moved), we introduced a font whitelist pref. John Daggett pointed out in https://bugzilla.mozilla.org/show_bug.cgi?id=1121643#c6 that a CSS rule like:

   @font-face {
     font-family: "MyTimes";
     src: local("Times");
   }

allows content to use "Times" even if it is not in our whitelist.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information