InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

CSS Font Loading, does it need care from NoScript ?

https://forums.informaction.com/viewtopic.php?t=21257

Page 1 of 1

CSS Font Loading, does it need care from NoScript ?

Posted: Wed Sep 16, 2015 12:16 pm
by Steven Seagull
Hi,

Starting from Firefox 41, CSS Font Loading API will be enabled by default. Does it present any risk that NoScript doesn't already cover through blocking @font-face ?

Like, does it trigger in a separate way the rather unsecure GPU font library that NoScript aimed to block when it started blocking @font-face.

I'd say no, but not sure. So might as well report.

Re: CSS Font Loading, does it need care from NoScript ?

Posted: Wed Sep 16, 2015 4:16 pm
by barbaz
Firefox 41 is currently in beta. Can you "just try it"?

Does anyone know if this is enabled by default in SeaMonkey 2.38 beta too? If not, how to enable it to check if NS already blocks it?
(I'm assuming it's implemented in the Gecko engine aka shared code.)

Re: CSS Font Loading, does it need care from NoScript ?

Posted: Wed Sep 16, 2015 5:09 pm
by Steven Seagull
I could install Fx 41 but I don't know of a reliable way to check if NoScript blocks CSS Font Loading API from using the insecure GPU font library. I'd need to dig into how to use the API as well as what is expected to happen when a NoScript block occurs. (i.e. does no font being displayed really mean that the library was never used at all)

I don't have that sort of time at the moment :/

Re: CSS Font Loading, does it need care from NoScript ?

Posted: Wed Sep 16, 2015 5:47 pm
by barbaz
Can you please come up with an example page that uses it that I can put on my local server & point to whatever webfont I have on hand?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited