As I read here: https://trac.torproject.org/projects/tor/ticket/33430 NoScript doesn't block all fonts, although it should IMHO. Shouldn't NoScript avoid using such fonts?
BTW: I cannot post here without activating JS and solve a lot of captchas. Something, that should be changed too...
"application/font” data in base64 format
"application/font” data in base64 format
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
-
- Master Bug Buster
- Posts: 244
- Joined: Wed Jan 10, 2018 7:37 am
Re: "application/font” data in base64 format
Can confirm. Couple more test cases:
https://www.mediaevent.de/font-in-css-einbetten/ - If the large "Pacifico" text (scroll down to midway of the page) is in beautiful cursive, the data-fonts are not blocked.
https://yle.fi/uutiset - If the blue nav-bar on top of the page has "location marker" on the left side of "Paikallisuutiset", the data-fonts are not blocked.
The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?
https://www.mediaevent.de/font-in-css-einbetten/ - If the large "Pacifico" text (scroll down to midway of the page) is in beautiful cursive, the data-fonts are not blocked.
https://yle.fi/uutiset - If the blue nav-bar on top of the page has "location marker" on the left side of "Paikallisuutiset", the data-fonts are not blocked.
The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: "application/font” data in base64 format
Yes, it is. Fixing that in next release, thanks.skriptimaahinen wrote: ↑Sun Mar 01, 2020 7:44 am The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?
Mozilla/5.0 (Android 9; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: "application/font” data in base64 format
Please check latest dev build, thanks.
v 11.0.15rc1
============================================================
x Fixed CapsCSP bug allowing data: URLs to bypass font
blocking (thanks dcent and skriptimaahinen)
x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)
v 11.0.15rc1
============================================================
x Fixed CapsCSP bug allowing data: URLs to bypass font
blocking (thanks dcent and skriptimaahinen)
x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0