General discussion about the NoScript extension for Firefox
Post Reply
Posts: 9
Joined: Sun Apr 05, 2009 3:01 pm


Post by anthoy » Thu Oct 22, 2009 9:06 am

"Forbid @font-face" option in the "Embeddings" panel

Webfonts blocking from untrusted sources and on untrusted pages, controlled by the noscript.forbidFonts about:config preference (UI planned for later, thanks Mike Perry for RFE)

How can font downloading be dangerous for security or privacy?
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

User avatar
Giorgio Maone
Site Admin
Posts: 8830
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: @font-face

Post by Giorgio Maone » Thu Oct 22, 2009 10:35 am

Quoting Mike Perry (Torbutton's developer) who, among others, asked for this feature:
Mike Perry wrote:It really worries me that the FreeType font library is now being made
to accept untrusted content from the web.

The library probably wasn't written under the assumption that it would
be fed much more than local fonts from trusted vendors who are already
installing arbitrary executable on a computer, and it's already had a
handful of vulnerabilities found in it shortly after it first saw use
in Firefox.

It is a very large library that actually includes a virtual machine
that has been rewritten from pascal to single-threaded non-reentrant C
to reentrant C.. The code is extremely hairy and hard to review,
especially for the VM.

The reason I don't want to do this blocking in Torbutton is because
Torbutton is only about protecting users from privacy risks, not
general security risks. Users who want enhanced security are
encouraged to use your extension and others on our FAQ page.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Post Reply