Some objects like web fonts are shared among a lot of websites.
For example it is not possible to launch an attack by rendering the FontAwesome (if it is the real one from http://fontawesome.io/ and not a faked malicious font).
Please make it possible to allow such objects permanently based on their content cryptographic hash value (and not their hosting origin).
Allow objects permanently based on their content hash
-
uaty8bipzd
- Posts: 1
- Joined: Sat Aug 20, 2016 5:01 am
Allow objects permanently based on their content hash
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Re: Allow objects permanently based on their content hash
-1
The file would have to be downloaded in order to check its hash. And you do realize it's possible to produce files with colliding hashes right?
If I don't trust a site, I don't care what hash its active content has nor what the active content is, I don't want it on my machine. FAQ 1.11
The solution to your dilemma is to block the fonts, and use an extension to locally redirect the request to fontawesome.io or a local replacement.
(related: viewtopic.php?f=8&t=17045)
The file would have to be downloaded in order to check its hash. And you do realize it's possible to produce files with colliding hashes right?
If I don't trust a site, I don't care what hash its active content has nor what the active content is, I don't want it on my machine. FAQ 1.11
The solution to your dilemma is to block the fonts, and use an extension to locally redirect the request to fontawesome.io or a local replacement.
(related: viewtopic.php?f=8&t=17045)
*Always* check the changelogs BEFORE updating that important software!
-