InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Allow objects permanently based on their content hash

https://forums.informaction.com/viewtopic.php?t=22098

Page 1 of 1

Allow objects permanently based on their content hash

Posted: Sat Aug 20, 2016 5:15 am
by uaty8bipzd
Some objects like web fonts are shared among a lot of websites.
For example it is not possible to launch an attack by rendering the FontAwesome (if it is the real one from http://fontawesome.io/ and not a faked malicious font).
Please make it possible to allow such objects permanently based on their content cryptographic hash value (and not their hosting origin).

Re: Allow objects permanently based on their content hash

Posted: Sat Aug 20, 2016 3:59 pm
by barbaz
-1
The file would have to be downloaded in order to check its hash. And you do realize it's possible to produce files with colliding hashes right?
If I don't trust a site, I don't care what hash its active content has nor what the active content is, I don't want it on my machine. FAQ 1.11

The solution to your dilemma is to block the fonts, and use an extension to locally redirect the request to fontawesome.io or a local replacement.

(related: viewtopic.php?f=8&t=17045)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited