Disable downloadable fonts on Safest security level

Closed Issue created 5 years ago by Trac

Websites can circumvent measures by Tor Browser / NoScript to reject fonts.

Fonts can be injected as “application/font” data in base64 format, directly into the CSS! I discovered this at CSS Tricks... go figure. I've noticed this on another website since.

To replicate, go to the above site in Tor's highest security setting.

You'll see that the fonts are not your usual fonts.

Inspect the CSS and you'll see code like this to "import" the fonts:

@font-face { font-family:sentinel ssm a; src:url(data:application/x-font-woff2;base64,d09GMgABAAAAAFKQABIAAAAArzgAAFIsAAFNDgAAAAA etc etc); font-weight:400; font-style:normal }

The thing that struck me is that the embedded mime type is ‘application/x-font-woff2’. What other “application” types might be embed-able and usable/executable?

I did a search and didn't see this as a ticket.

Trac:
Username: dcent

Disable downloadable fonts on Safest security level

Linked items ... 0

Activity