Page 1 of 1
"application/font” data in base64 format
Posted: Sat Feb 29, 2020 3:05 pm
by david001
As I read here:
https://trac.torproject.org/projects/tor/ticket/33430 NoScript doesn't block all fonts, although it should IMHO. Shouldn't NoScript avoid using such fonts?
BTW: I cannot post here without activating JS and solve a lot of captchas. Something, that should be changed too...
Re: "application/font” data in base64 format
Posted: Sun Mar 01, 2020 7:44 am
by skriptimaahinen
Can confirm. Couple more test cases:
https://www.mediaevent.de/font-in-css-einbetten/ - If the large "Pacifico" text (scroll down to midway of the page) is in beautiful cursive, the data-fonts are not blocked.
https://yle.fi/uutiset - If the blue nav-bar on top of the page has "location marker" on the left side of "Paikallisuutiset", the data-fonts are not blocked.
The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?
Re: "application/font” data in base64 format
Posted: Sun Mar 01, 2020 9:42 am
by Giorgio Maone
skriptimaahinen wrote: ↑Sun Mar 01, 2020 7:44 am
The problem is that "font-src http: https:" is not being added to the CSP-header. Looks like "font" is missing from "types" in CapsCSP.js?
Yes, it is. Fixing that in next release, thanks.
Re: "application/font” data in base64 format
Posted: Sun Mar 01, 2020 9:32 pm
by Giorgio Maone
Please check
latest dev build, thanks.
v 11.0.15rc1
============================================================
x Fixed CapsCSP bug allowing data: URLs to bypass font
blocking (thanks dcent and skriptimaahinen)
x [XSS] Prevent DOS detection from being triggered for
already aborted requests (thanks therube)