Are fonts using an unsafe library on Firefox Android too ?

[TomBombadil]

Hi,

Waiting for NoScript 3 to be released, I'm giving a try to uMatrix on Android. I noticed that it doesn't discriminate CSS and fonts when allowing or blocking elements. Does that mean the author is unaware or unconcerned by the problem, or that Firefox has updated its font drawing library so that it is now secure ?

Also, is this library both unsafe on Firefox Windows AND Android ?

Thanks for the feedback

[barbaz]

On desktop, webfonts are more a potential for exploit these days, than an actual security hole. Do a search for "web font vulnerability" and see what comes up, then narrow the search down by OS, try narrow it down by browser, try both... look at how recent those vulns are and if they're patched. If you don't find anything from within a year ago, the answer depends how paranoid you are; otherwise I would definitely recommend blocking webfonts.

I'm giving a try to uMatrix on Android. I noticed that it doesn't discriminate CSS and fonts when allowing or blocking elements.

µMatrix is a nice addon but, I don't think you should base any assessment on what µMatrix is lumping with what, its categorization system isn't make sense to me for the content types it doesn't explicitly listed (note also that HTML5 media is declared "other", if not for that it would be a nice security rule to block "other" by default in µMatrix).

Just because fonts are loaded with CSS, doesn't mean they should be treated like CSS.

[Thrawn]

Perhaps it's worth raising a Github issue about having separate categories for fonts and CSS? I think gorhill would be reluctant to make the matrix wider and noisier, but you can ask.

[barbaz]

Good idea, but if horizontal size of matrix is the concern, I think this is a more important distinction

(note also that HTML5 media is declared "other", if not for that it would be a nice security rule to block "other" by default in µMatrix)

Anyway, can't hurt to ask for both separations as RFE Github issue. Can you please file it? Thanks.

[TomBombadil]

You can block fonts separately if you also install uBlock Origin and set the dynamic filtering rule

Code: Select all

no-remote-fonts: * true

Thanks to your suggestion I found this recent font vulnerability fixed in Firefox 42 or 43, but I'm not sure that it affects Firefox for Android.

I think one would need to know the name of the problematic font rendering library and check whether it is in the multiplatform core of Firefox or Windows-specific. If the library is really about rendering though, then it may be in Gecko, and as far as I know Firefox for Android uses Gecko, soooo, probably, fonts should be disallowed on Android too.

I wonder if Chrome has this issue with fonts too now.


I agree that Media should be a separate category from Other, especially if Other contains unusual protocols like jar: (to be removed in Firefox 45 because unsafe). I'm going to assume data: and javascript: are tied to the Script category though. Lots of question for Gorhill

The same person can't ask for everything in one go or all of it will be ignored, but I might do so one step at a time over the next few months.

Last question, do you guys enable fonts selectively with Javascript ? I got the idea that the library had been made in a very unsecure way and way more unsafe than the Javascript engine, and so allowing JS was less of a risk than allowing fonts. I guess my original question was, are the risk levels evened out nowadays ?


Thanks!

[barbaz]

Thanks to your suggestion I found this recent font vulnerability fixed in Firefox 42 or 43, but I'm not sure that it affects Firefox for Android.

I think one would need to know the name of the problematic font rendering library and check whether it is in the multiplatform core of Firefox or Windows-specific. If the library is really about rendering though, then it may be in Gecko, and as far as I know Firefox for Android uses Gecko, soooo, probably, fonts should be disallowed on Android too.

Agreed, but I'm just a power user. Other members of forum staff (especially Giorgio) would be able to give a more informed assessment.

I wonder if Chrome has this issue with fonts too now.

If was fixed in Firefox, then I would expect Chrome wouldn't have the same exact vuln, although if they're using the same font rendering backend it's very possible it'd have a similar vuln. (in short, idk)
Again, Internet searches are the best way to judge how paranoid you should be about webfonts...

unusual protocols like jar: (to be removed in Firefox 45 because unsafe).

Bug link please?

I'm going to assume data: and javascript: are tied to the Script category though.

µMatrix is a network filter, it should have no effect on data: URIs. I would think that whether or not javascript: URIs permissions are controlled by the script category would be controlled by whether or not µMatrix blocks inline scripts, and IIRC it does (I don't use µMatrix's script blocking at all though, I prefer leave that entirely to NoScript).

The same person can't ask for everything in one go or all of it will be ignored,

I would hope gorhill isn't that kind of person, that he would get to all of it that he finds reasonable as he has time...

Last question, do you guys enable fonts selectively with Javascript ? I got the idea that the library had been made in a very unsecure way and way more unsafe than the Javascript engine, and so allowing JS was less of a risk than allowing fonts. I guess my original question was, are the risk levels evened out nowadays ?

I'm not sure quite what you're asking, so I'll paraphrase my best guess and then answer that: "Do you guys configure NoScript to (by default) un-block fonts when Allow or Temporarily allow a site's JS?"

I can only speak for myself here, and my answer is yes. This is not so much a technical question as it is a question of trust. In Internet security, either you trust a site or you don't.. (i'll skip the explanation of this as you seem knowledgeable enough not to need it ) Active content is a requirement to exploit almost all browser vulnerabilities, including even e.g. CSS vulns. If I trust a site to run JS, I am trusting that they won't do anything nasty like exploit a vulnerability, as such I would have no reason to disallow them from displaying the [self-hosted] font(s) they want (unless, of course, said font(s) make my eyes bleed ).
Just my 2¢, YMMV.

[TomBombadil]

Okay, thanks for all the answers! I'm currently treating fonts as I do WebGL and media elements, keep it disabled even on JS allowed sites unless I really need it. I was wondering whether I should start enabling fonts whenever JS is enabled. (On a side note, I don't know if it's possible to automatically allow @font-face on whitelisted sites while keeping all other objects blocked thanks to "Apply restrictions to trusted sites")

Here's the bug for jar: URI.

[barbaz]

(On a side note, I don't know if it's possible to automatically allow @font-face on whitelisted sites while keeping all other objects blocked thanks to "Apply restrictions to trusted sites")

Sure.
about:config > noscript.allowedMimeRegExp

Here's the bug for jar: URI.

Oh good, they're not killing off jar: entirely, just for remote files. That actually makes sense - from what I've read, jar: *is* dangerous in those scenarios.
I see that the pref is already existing in the Gecko version I run on atm, will flip it and see how that goes.

Thanks.

[barbaz]

Good idea, but if horizontal size of matrix is the concern, I think this is a more important distinction

(note also that HTML5 media is declared "other", if not for that it would be a nice security rule to block "other" by default in µMatrix)

Anyway, can't hurt to ask for both separations as RFE Github issue.

Just saw that someone did: https://github.com/gorhill/uMatrix/issues/590
That response from gorhill doesn't look promising, but the lack of comment makes it hard to tell if it got rejected because it's a badly filed issue..