forbid @font-face still necessary?

[mach]

Hi

NoScript forbids @font-face because a maliciously crafted font could exploit the font parsers that are rather old. Indeed, there has been such a vulnerability, see MFSA 2010-08: WOFF heap corruption due to integer overflow (see also hackademix.net » Why NoScript Blocks Web Fonts).

But is this precaution still necessary? With Firefox 3.6.13, Firefox has added the OTS font sanitizer, see MFSA 2010-78: Add support for OTS font sanitizer. This means that potentially vulnerable parts of fonts are blocked. Would this not mean that it is now safe for NoScript to switch on @font-face support by default?

--
grüess
mach

[dhouwn]

IMHO, a good opportunity for NoScript 3 which won't work on Firefox versions without the OTS.

[schisch]

Hi,

Do you know how to detect users with noscript extensions which are blocking web fonts (e.g. loaded from googleusercontent.com)?

Since many noscript users do not know that fonts get blocked by this extension it seems to be the webdesigner's task to create a workaround for it.

Thanks for your hints!

[Giorgio Maone]

it seems to be the webdesigner's task to create a workaround for it.

Why? Don't they already provide a fallback for browsers not supporting this feature, and any browser displaying the text anyway with the default font?

However, if you've got scripts enabled on the main page, you can use window.getComputedStyle("#some-test-element-with-styled-text", "").width to check for differences between your preferred font and fallbacks.

[dhouwn]

What workaround?