InformAction Forums

Noscript 10 does not appear to block web-fonts if they are provided as data:
Example page: https://yle.fi/uutiset

The icons for search (hae) and menu (valikko) are provided by the font-face above.

This is still an issue (Noscript Version 10.1.6.4). If additional info is needed, please ask.

NS 10.1.6.6 RC2 is still affected.

NoScript treats data: URIs for embedded resources as same origin with the document (even though when they represent HTML documents they've been recently demoted to null origin, making them safer than before because scripts couldn't access parent resources).
Therefore unless fonts are enabled for yle.fi, data: fonts shouldn't be rendered.

I suspect what you've actually noticed is the font being aggressively cached by Firefox.
Steps to reproduce:

1. Open https://yle.fi/uutiset with the cache cleared and default NoScript settings
2. Watch the font not being rendered
3. Change yle.fi permissions to CUSTOM (you'll see the [font] permission checkbox gets a red background, signifying some webfont load has been attempted), and check the font box
4. On reload the font will be rendered
5. Now turn the domain back to DEFAULT (or just remove the font capability from the CUSTOM permissions)
6. On auto-reload and subsequent "soft" reloads, the font is still rendered
7. Clear the cache or just hard-reload (shift+F5)
8. The font shouldn't be rendered anymore

Please let me know if you observe anything different, thanks.

Thanks for the response. I personally would like to wait for the original bug reporter to reply as the difference between with and without fonts is not so obvious on that page or probably my eyesight is not the best.

Ah, sorry, have not been paying attention to this report for a while.

Unfortunately no amount of clearing cache, history, etc., makes the icons disappear.

Attached image to show difference between unblocked and blocked.



As far as I can tell, Noscript currently blocks fonts only in onBeforeRequest, that is, if they are actually "fetched". So I don't see how it would block data: URIs. That said, I made a little patch that fixed the problem for me.
So simply checking if fonts are allowed (canFont) and respectively adding the "font" to "blockedTypes" to create the font-src:'none' CSP rule. Just like it's done with scripts.

Hope this helps.

Thanks for the patch.
Sorry, when I reviewed your PoC I was looking at the readable fonts on the toolbar and completely missed the icon font.
Actually I'd expect onBeforeRequest to intercept data: URIs on Firefox (unlike Chrome, which doesn't) based on the original WebExtension API implementation, so I'm gonna investigate further.
I'll consider also merging your patch, but as far as I can see there's an important difference with the expected behavior, i.e. it would block any font load on the page, not just data:
Thanks again

Sorry, should have pointed the difference out. Also worth noting explicitly is that with the patch, if one wishes to allow/use fonts (awesome, gstatic, etc.) on some page, they are also forced to set that domain as allowed SOURCE of fonts. I wonder how big of a problem that is?

Related, how big of a threat are webfonts these days? It's been almost ten years since webfonts were introduced. One would assume that the font parsers have matured since.

Please check latest development build 10.1.7rc3, thanks.

v 10.1.7rc3
=============================================================
+ Pressing DEL while on a fixed/absolutely positioned element
of a script-disabled page removes it, allowing users to
dismiss in-content popup "windows" and blocking overlays
x Fixed changing sites permission resets local preferences
regression from 10.1.7rc1 (thanks pal1000 for report)
x Fixed data: and blob: fonts not blocked even if the "font"
permission is not given to the main document (thanks
skriptimaahinen for report and preliminary patch)

skriptimaahinen wrote:Sorry, should have pointed the difference out. Also worth noting explicitly is that with the patch, if one wishes to allow/use fonts (awesome, gstatic, etc.) on some page, they are also forced to set that domain as allowed SOURCE of fonts.

I've modified your patch to work-around this limitation. Now it should work as expected: 3rd party fonts permissions independent from 1st party, either HTTP(S) or data:/blob:

skriptimaahinen wrote: Related, how big of a threat are webfonts these days? It's been almost ten years since webfonts were introduced. One would assume that the font parsers have matured since.

Latest big incident in 2015, AFAIK.

Aah, didn't even consider such blank permission as a possibility for the CSP. Very nice.

However, there is still a minor issue with the "needed" marker not updating for the font. Unfortunately the https://yle.fi/uutiset was not the best site to test this as there were "normally" fetched fonts alongside the data-fonts, so the marker was set anyhow. Better site for testing would be plain https://yle.fi as there the only font is the data-one.

The issue seems to culminate around popup.js/initSitesUI, where the "seen"-messages with data-urls get filtered out due to the parsers not being able to handle them.

Giorgio Maone wrote:Latest big incident in 2015, AFAIK.

Maybe give them few more years then...

Please check latest development build, thanks.

v 10.1.7rc4
=============================================================
x "Needed type" feedback in Custom preset for data: and blob:
fonts (thanks skriptimaahinen for report)

Everything seems to be in order now. Thank you!