"application/font” data in base64 format

Ask for help about NoScript, no registration needed to post
david001

"application/font” data in base64 format

Post by david001 » Sat Feb 29, 2020 3:05 pm

As I read here: https://trac.torproject.org/projects/tor/ticket/33430 NoScript doesn't block all fonts, although it should IMHO. Shouldn't NoScript avoid using such fonts?


BTW: I cannot post here without activating JS and solve a lot of captchas. Something, that should be changed too...
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0

skriptimaahinen
Senior Member
Posts: 179
Joined: Wed Jan 10, 2018 7:37 am

Re: "application/font” data in base64 format

Post by skriptimaahinen » Sun Mar 01, 2020 7:44 am

Can confirm. Couple more test cases:

https://www.mediaevent.de/font-in-css-einbetten/ - If the large "Pacifico" text (scroll down to midway of the page) is in beautiful cursive, the data-fonts are not blocked.

https://yle.fi/uutiset - If the blue nav-bar on top of the page has "location marker" on the left side of "Paikallisuutiset", the data-fonts are not blocked.

The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0

User avatar
Giorgio Maone
Site Admin
Posts: 8802
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "application/font” data in base64 format

Post by Giorgio Maone » Sun Mar 01, 2020 9:42 am

skriptimaahinen wrote:
Sun Mar 01, 2020 7:44 am
The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?
Yes, it is. Fixing that in next release, thanks.
Mozilla/5.0 (Android 9; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0

User avatar
Giorgio Maone
Site Admin
Posts: 8802
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: "application/font” data in base64 format

Post by Giorgio Maone » Sun Mar 01, 2020 9:32 pm

Please check latest dev build, thanks.
v 11.0.15rc1
============================================================
x Fixed CapsCSP bug allowing data: URLs to bypass font
blocking (thanks dcent and skriptimaahinen)
x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

Post Reply