Noscript 10 web-font blocking

Bug reports and enhancement requests
Post Reply
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Noscript 10 web-font blocking

Post by skriptimaahinen »

Noscript 10 does not appear to block web-fonts if they are provided as data:

Code: Select all

@font-face {
    font-family:yle-header-fontello;
    src:url('data:application/octet-stream;base64,d09GRgABAAAAAAvgAA4AAAAAFNwAAQAAAAAAAAAA...') format('truetype')
}
Example page: https://yle.fi/uutiset

The icons for search (hae) and menu (valikko) are provided by the font-face above.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Noscript 10 web-font blocking

Post by skriptimaahinen »

This is still an issue (Noscript Version 10.1.6.4). If additional info is needed, please ask.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
pal1000
Junior Member
Posts: 44
Joined: Tue Mar 10, 2015 1:30 pm

Re: Noscript 10 web-font blocking

Post by pal1000 »

NS 10.1.6.6 RC2 is still affected.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Noscript 10 web-font blocking

Post by Giorgio Maone »

NoScript treats data: URIs for embedded resources as same origin with the document (even though when they represent HTML documents they've been recently demoted to null origin, making them safer than before because scripts couldn't access parent resources).
Therefore unless fonts are enabled for yle.fi, data: fonts shouldn't be rendered.

I suspect what you've actually noticed is the font being aggressively cached by Firefox.
Steps to reproduce:
  1. Open https://yle.fi/uutiset with the cache cleared and default NoScript settings
  2. Watch the font not being rendered
  3. Change yle.fi permissions to CUSTOM (you'll see the [font] permission checkbox gets a red background, signifying some webfont load has been attempted), and check the font box
  4. On reload the font will be rendered
  5. Now turn the domain back to DEFAULT (or just remove the font capability from the CUSTOM permissions)
  6. On auto-reload and subsequent "soft" reloads, the font is still rendered
  7. Clear the cache or just hard-reload (shift+F5)
  8. The font shouldn't be rendered anymore
Please let me know if you observe anything different, thanks.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
pal1000
Junior Member
Posts: 44
Joined: Tue Mar 10, 2015 1:30 pm

Re: Noscript 10 web-font blocking

Post by pal1000 »

Thanks for the response. I personally would like to wait for the original bug reporter to reply as the difference between with and without fonts is not so obvious on that page or probably my eyesight is not the best.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Noscript 10 web-font blocking

Post by skriptimaahinen »

Ah, sorry, have not been paying attention to this report for a while.

Unfortunately no amount of clearing cache, history, etc., makes the icons disappear.

Attached image to show difference between unblocked and blocked.

Image

As far as I can tell, Noscript currently blocks fonts only in onBeforeRequest, that is, if they are actually "fetched". So I don't see how it would block data: URIs. That said, I made a little patch that fixed the problem for me.

Code: Select all

RequestGuard.js line: 350

  let capabilities = perms;
  let canScript = capabilities.has("script");
  let canFont = capabilities.has("font");

  let blockedTypes = [];
  if (!content.disposition &&
    (!content.type || /^\s*(?:video|audio|application)\//.test(content.type))) {
    debug(`Suspicious content type "%s" in request %o with capabilities %o`,
      content.type, request, capabilities);
    blockedTypes = CSP.types.filter(t => !capabilities.has(t));
  }
  else { 
    if(!canScript) { blockedTypes.push("script"); }
    if(!canFont) { blockedTypes.push("font"); }
  }
  if (blockedTypes && blockedTypes.length) {
    blocker = CSP.createBlocker(...blockedTypes);
  }
So simply checking if fonts are allowed (canFont) and respectively adding the "font" to "blockedTypes" to create the font-src:'none' CSP rule. Just like it's done with scripts.

Hope this helps.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Noscript 10 web-font blocking

Post by Giorgio Maone »

Thanks for the patch.
Sorry, when I reviewed your PoC I was looking at the readable fonts on the toolbar and completely missed the icon font.
Actually I'd expect onBeforeRequest to intercept data: URIs on Firefox (unlike Chrome, which doesn't) based on the original WebExtension API implementation, so I'm gonna investigate further.
I'll consider also merging your patch, but as far as I can see there's an important difference with the expected behavior, i.e. it would block any font load on the page, not just data:
Thanks again :)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Noscript 10 web-font blocking

Post by skriptimaahinen »

Sorry, should have pointed the difference out. Also worth noting explicitly is that with the patch, if one wishes to allow/use fonts (awesome, gstatic, etc.) on some page, they are also forced to set that domain as allowed SOURCE of fonts. I wonder how big of a problem that is?

Related, how big of a threat are webfonts these days? It's been almost ten years since webfonts were introduced. One would assume that the font parsers have matured since.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Noscript 10 web-font blocking

Post by Giorgio Maone »

Please check latest development build 10.1.7rc3, thanks.

v 10.1.7rc3
=============================================================
+ Pressing DEL while on a fixed/absolutely positioned element
of a script-disabled page removes it, allowing users to
dismiss in-content popup "windows" and blocking overlays
x Fixed changing sites permission resets local preferences
regression from 10.1.7rc1 (thanks pal1000 for report)
x Fixed data: and blob: fonts not blocked even if the "font"
permission is not given to the main document (thanks
skriptimaahinen for report and preliminary patch)

skriptimaahinen wrote:Sorry, should have pointed the difference out. Also worth noting explicitly is that with the patch, if one wishes to allow/use fonts (awesome, gstatic, etc.) on some page, they are also forced to set that domain as allowed SOURCE of fonts.
I've modified your patch to work-around this limitation. Now it should work as expected: 3rd party fonts permissions independent from 1st party, either HTTP(S) or data:/blob:
skriptimaahinen wrote: Related, how big of a threat are webfonts these days? It's been almost ten years since webfonts were introduced. One would assume that the font parsers have matured since.
Latest big incident in 2015, AFAIK.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Noscript 10 web-font blocking

Post by skriptimaahinen »

Aah, didn't even consider such blank permission as a possibility for the CSP. Very nice.

However, there is still a minor issue with the "needed" marker not updating for the font. Unfortunately the https://yle.fi/uutiset was not the best site to test this as there were "normally" fetched fonts alongside the data-fonts, so the marker was set anyhow. Better site for testing would be plain https://yle.fi as there the only font is the data-one.

The issue seems to culminate around popup.js/initSitesUI, where the "seen"-messages with data-urls get filtered out due to the parsers not being able to handle them.
Giorgio Maone wrote:Latest big incident in 2015, AFAIK.
Maybe give them few more years then...
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Noscript 10 web-font blocking

Post by Giorgio Maone »

Please check latest development build, thanks.

v 10.1.7rc4
=============================================================
x "Needed type" feedback in Custom preset for data: and blob:
fonts (thanks skriptimaahinen for report)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Noscript 10 web-font blocking

Post by skriptimaahinen »

Everything seems to be in order now. Thank you!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Post Reply