[Tor/FIXED] Web fonts not blocked, again

[SomeTorUser]

Hello everyone,

first things first: NoScript is a great tool, I love it and use it for many years already.
Very recently I have come across a problem, though — I found some mention of it, but those former issues were obviously solved, so let me ask again:
I am Tor user and expect the combination of Tor Browser and NoScript to block any web fonts if the check box “font” is checked (I have checked it in the “Default” setting and unchecked in “Trusted”).
And yet, for a couple days web fonts are displayed anyway.

Is it just me, or is anyone else experiencing the newly changed behaviour?

Thank you for your time, and thanks fo NoScript!

[Giorgio Maone]

It's the other way out: the boxes are capabilities (like "can load fonts" or "can run scripts"), and if you check them you're allowing the site to use them.

[SomeTorUser]

Sorry Giorgio, I am a little overwhelmed today, hence miswrote:
I UNchecked in “Default” and checked in “Trusted”.

[Giorgio Maone]

Sorry Giorgio, I am a little overwhelmed today, hence miswrote:
I UNchecked in “Default” and checked in “Trusted”.

Can you point me to a real world examples with URLs and browser / extension versions where I can easily reproduce?
Thanks!

[dnolan]

Can you point me to a real world examples with URLs and browser / extension versions where I can easily reproduce?
Thanks!

Like this very forum. Like he said, the TOR brand of Firefox, "safest' setting. NoScript 11.3.
Fonts is not the only problem, media is also wrongly allowed. There might be other problems too.

Funny how every software seems to ""improve"" in this manner when programmers start caring more about ideologically-motivated virtue-signaling through DVCS branch names, than about actual coding.

[SomeTorUser]

Yes, agreed with dnolan: It happens basically anywhere and everywhere.

Both Tor and NoScript are up-to-date:
Tor Browser 11.0.6 (based on Mozilla Firefox 91.6.0esr)
NoScript 11.3
Another example site, the German news magazine Spiegel: https://www.spiegel.de
They user their own fonts via @font-face.
I hope that helps.

[Giorgio Maone]

I can see this effect myself, but as far as I can tell it's just the browser aggressively caching webfonts.

You'll get the same results if you try to block them with uBlock, for instance, if you've already downloaded them once. In the devtools Network panel you'll notice they're either reported as blocked (by NoScript or uBlock) or otherwise not reported at all, even if they're displayed.

If you disable the cache (in devtools) or clear it, or use a clean profile which has never "seen" those fonts yet, you won't see them anymore.
On Firefox, at least. On Chromium it's even stickier, and seemingly quite difficult to work around (yes, I've also tried to clear ALL the data :/).

[SomeTorUser]

Thanks for your reply.

Until a few days ago, I would have agreed with your assessment. Up to that point, closing Tor Browser reset the browser and made it “forget” the downloaded fonts. Since then, closing does not have this effect anymore.

Additionally, I have just yet visited a few websites I can be sure to never have visited before: they display web fonts even on first visit, so this can’t be a cache problem whatsoever.

For now, I disabled web fonts entirely via about:config, setting

Code: Select all

gfx.downloadable_fonts.enabled

to “false” and

Code: Select all

gfx.downloadable_fonts.disable_cache

to “true”. But on some trusted websites (e.g. some I designed myself) I would prefer being able to allow web fonts being rendered correctly.

Do you think there will be a solution?

(Also, maybe related, as dnolan mentioned earlier, the behaviour of audio and video files has changed. I am not sure when that did actually happen, it’s at least a few weeks, more likely months ago. Earlier, when opening a video or audio file, be it directly or on an embedding page, they were blocked and overlayed with the option to un-block them. Now, on several embedding pages the unblocking overlay doesn’t show; I have to allow JavaScript for the whole page, which makes the media files starting instantly. A direct media link (as in https://example.com/some-media.mp4) first shows the files without overlay, but not starting. Right-clicking on the player allows to open the file in a new tab [Ctrl-O]. There, the file is shown with the overlay, then clicking the overlay to unblock does make the audio or video play.)

And let me apologise, I’m well aware that all of it might be a Tor Browser issue — although I think it’s NoScript related.

[Giorgio Maone]

And it was, indeed, a Tor Browser specific regression (well masked by the cache problem on Firefox and even more dramatic on Chromium).
Should be fixed in latest development build, thanks.

v 11.3.2rc1
============================================================
x Prevent LAN protection from breaking webRequest blocking
on the Tor Browser (thanks TorBrowserUser for reporting)

[SomeTorUser]

Giorgio, let me say this: I am truly amazed at how quickly you reply and react. I can’t even begin to imagine how much work the maintenance for NoScript must be, so thanks very, very much.
Also, I can confirm that the font issue has been solved, I did install the RC and it works as expected again.
(The media issue has not changed, though, but I guess that is something for another time, right?)

[Giorgio Maone]

(The media issue has not changed, though, but I guess that is something for another time, right?)

Could you please open another thread here, or an issue on github, with more details on reproducing this other problem?
For instance, an actual URL exhibiting the change in behavior, whether it's just Tor Browser or Firefox as well, and possibly the NoScript version where the behavior has changed?
Thanks!