"application/font” data in base64 format

david001 · Post by **david001** » Sat Feb 29, 2020 3:05 pm

As I read here: https://trac.torproject.org/projects/tor/ticket/33430 NoScript doesn't block all fonts, although it should IMHO. Shouldn't NoScript avoid using such fonts?

BTW: I cannot post here without activating JS and solve a lot of captchas. Something, that should be changed too...

Post by **skriptimaahinen** » Sun Mar 01, 2020 7:44 am

Can confirm. Couple more test cases:

https://www.mediaevent.de/font-in-css-einbetten/ - If the large "Pacifico" text (scroll down to midway of the page) is in beautiful cursive, the data-fonts are not blocked.

https://yle.fi/uutiset - If the blue nav-bar on top of the page has "location marker" on the left side of "Paikallisuutiset", the data-fonts are not blocked.

The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?

Post by **Giorgio Maone** » Sun Mar 01, 2020 9:42 am

skriptimaahinen wrote: ↑Sun Mar 01, 2020 7:44 am The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?

Yes, it is. Fixing that in next release, thanks.

Post by **Giorgio Maone** » Sun Mar 01, 2020 9:32 pm

Please check latest dev build, thanks.
v 11.0.15rc1
============================================================
x Fixed CapsCSP bug allowing data: URLs to bypass font
blocking (thanks dcent and skriptimaahinen)
x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)

InformAction Forums

"application/font” data in base64 format

"application/font” data in base64 format

Re: "application/font” data in base64 format

Re: "application/font” data in base64 format

Re: "application/font” data in base64 format