Please check
latest development build 10.1.7rc3, thanks.
v 10.1.7rc3
=============================================================
+ Pressing DEL while on a fixed/absolutely positioned element
of a script-disabled page removes it, allowing users to
dismiss in-content popup "windows" and blocking overlays
x Fixed changing sites permission resets local preferences
regression from 10.1.7rc1 (thanks pal1000 for report)
x Fixed data: and blob: fonts not blocked even if the "font"
permission is not given to the main document (thanks
skriptimaahinen for report and preliminary patch)
skriptimaahinen wrote:Sorry, should have pointed the difference out. Also worth noting explicitly is that with the patch, if one wishes to allow/use fonts (awesome, gstatic, etc.) on some page, they are also forced to set that domain as allowed SOURCE of fonts.
I've modified your patch to work-around this limitation. Now it should work as expected: 3rd party fonts permissions independent from 1st party, either HTTP(S) or data:/blob:
skriptimaahinen wrote:
Related, how big of a threat are webfonts these days? It's been almost ten years since webfonts were introduced. One would assume that the font parsers have matured since.
Latest big incident in 2015, AFAIK.