Skip to content

font whitelist fails to stop local fonts in @font-face

In #13313 (moved), we introduced a font whitelist pref. John Daggett pointed out in https://bugzilla.mozilla.org/show_bug.cgi?id=1121643#c6 that a CSS rule like:

   @font-face {
     font-family: "MyTimes";
     src: local("Times");
   }

allows content to use "Times" even if it is not in our whitelist.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information