"Forbid @font-face" option in the "Embeddings" panel
Webfonts blocking from untrusted sources and on untrusted pages, controlled by the noscript.forbidFonts about:config preference (UI planned for later, thanks Mike Perry for RFE)
How can font downloading be dangerous for security or privacy?
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Quoting Mike Perry (Torbutton's developer) who, among others, asked for this feature:
Mike Perry wrote:
It really worries me that the FreeType font library is now being made
to accept untrusted content from the web.
The library probably wasn't written under the assumption that it would
be fed much more than local fonts from trusted vendors who are already
installing arbitrary executable on a computer, and it's already had a
handful of vulnerabilities found in it shortly after it first saw use
in Firefox.
It is a very large library that actually includes a virtual machine
that has been rewritten from pascal to single-threaded non-reentrant C
to reentrant C.. The code is extremely hairy and hard to review,
especially for the VM.
The reason I don't want to do this blocking in Torbutton is because
Torbutton is only about protecting users from privacy risks, not
general security risks. Users who want enhanced security are
encouraged to use your extension and others on our FAQ page.
