Loading of a font from the same site like the html and the images should be allowed by default?

[tsaufreisen]

First: Thank you for protecting my web browsing over so many years!

I own a web site with hiking reports. For the visualisation of accent, decend, distances etc. I use a self made font.
The font is on the same site like the html code, the grapics and everything else. I do not use any scripts.

If I look on my website with installed NoScript everything works, but the font is blocked. I know that I can allow scripts and the font will be loaded.

My problem is: I tell my readers, that I do not use scripts. On the other hand I have to convince them, that they should trust my site as if there were any scripts on it.

Could not be the default behavior, that fonts from the same site as the html are allowed? Like images?
Or do I miss an additional threat that comes with fonts?

An example on my site is https://tom--schilling.de/wandern/wande ... html#start
The line below the headline starts with "L 430 km, H 30.000 m, R 29.450 m" if the font is blocked and shows symbols instead of L, H, R if the font is allowed.

[barbaz]

https://hackademix.net/2010/03/24/why-n ... web-fonts/

Although IIRC typical build configurations of modern Firefox compile web font libraries into WASM and sandbox them (how to check if this is the case for a given Firefox build?), so not sure how big the threat from malicious web fonts is in 2024?

I do not use scripts. On the other hand I have to convince them, that they should trust my site as if there were any scripts on it.

It is possible to only allow "font" permission for a site without also allowing scripts. The responsibility is on the NoScript user to be aware of this option and use it where they find it appropriate.

You should not have to convince them anything. Either they want your site to work & trust you enough to allow what's necessary, or they don't & then must accept that your site won't work for them.

Could not be the default behavior, that fonts from the same site as the html are allowed? Like images?

NoScript users who want this can enable "font" capability in the DEFAULT preset.

[tsaufreisen]

Thanks for the hackademix link.

Yes, probably I should trust my readers, that they get the idea to enable fonts in NoScript.
I do not know anything about my readers and how many of them use NoScript.

My fear is that the reader sees the "L", "H", "R" and does not know that he could allow scripts or fonts in NoScript to get the proper symbols instead. For this readers the website looks just a bit weird.

Of course I can use GIFs instead of a font but the font was the more elegant solution to embed the symbols.

If decoding fonts is more complicated than decoding pictures I understand that it would be a bigger security risk.

[barbaz]

My fear is that the reader sees the "L", "H", "R" and does not know that he could allow scripts or fonts in NoScript to get the proper symbols instead.

Looking at your site, that concern is reasonable. Typically I don't even think to check for allowable fonts unless I see something like this - viewtopic.php?t=27042
You could add something to your site that displays as hex codes like that when your font is not allowed, and displays as a proper icon when your font is allowed.

[tsaufreisen]

Yes that would make the missing font visible.
My workaround was so far to use the first letters of the german words that match the symbol. L = Länge, H = Hoch, R = Runter.
Maybe I use a tooltip like in the table on this side: https://tom--schilling.de/programmieren ... html#start

I was not aware that the blocking of the font is due to potential security problems in the font engine. I thought i is only for tracking protection.

[tsaufreisen]

I think I found a solution for me: Instead of the hexcode for an unknown code or letters I take symbols from the standard font that match the meaning.
Like ↔ = UC: ↔ ↗ = UC: ↗ ↘ = UC: ↘
I have just to move my symbols in the font to that positions.