InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[Feature request] about:config setting for @font-face

https://forums.informaction.com/viewtopic.php?t=8859

Page 1 of 1

[Feature request] about:config setting for @font-face

Posted: Wed Jun 06, 2012 9:40 pm
by Lekensteyn
Hi all,

I block all plugin/font content by default, even for trusted sites.
Since some day, github.com decided to use fonts for their icons. This resulted in an ugly "1" being displayed instead of a "Settings" icon for example.

The solution to that is opening the NoScript menu and unblock the font under "Blocked objects". The next time the browser restarts, this setting is gone.
Please make it possible to permanently allow the specified resource or add an about:config option as done for
noscript.allowedMimeRegExp. Setting application/x-font-ttf@https://a248\.e\.akamai\.net
as value for the aforementioned setting does not work, possibly because it only applies to plugins.

Below is an extract of the stylesheet:

Code: Select all

@font - face
{
    font - family: 'Octicons Regular';
    src: url("https://a248.e.akamai.net/assets.github.com/fonts/octicons/octicons-regular-webfont.eot?639c50d4");
    src: url("https://a248.e.akamai.net/assets.github.com/fonts/octicons/octicons-regular-webfont.eot?639c50d4#iefix") format("embedded-opentype"),
    url("https://a248.e.akamai.net/assets.github.com/fonts/octicons/octicons-regular-webfont.woff?0605b255") format("woff"),
    url("https://a248.e.akamai.net/assets.github.com/fonts/octicons/octicons-regular-webfont.ttf?f82fcba7") format("truetype"),
    url("https://a248.e.akamai.net/assets.github.com/fonts/octicons/octicons-regular-webfont.svg?1f7afa21#newFontRegular") format("svg");
    font - weight: normal;
    font - style: normal;
}
I am using Firefox 13 with NoScript 2.4.4.

Thanks,
Lekensteyn

Re: [Feature request] about:config setting for @font-face

Posted: Wed Jun 06, 2012 10:01 pm
by dhouwn
Good idea IMHO. Little nit: I believe the MIME type would have to look differently in this case since Firefox supports the WOFF format.

Re: [Feature request] about:config setting for @font-face

Posted: Wed Jun 06, 2012 10:11 pm
by Lekensteyn
Ah, I did not know that. Anyway, it still did not work with the very permissive

Code: Select all

.*@.*
expression. Looking at the source code, it should match:

Code: Select all

593               if (this.allowedMimeRegExp &&
594                   (this.allowedMimeRegExp.test(aMimeTypeGuess) ||
595                     this.allowedMimeRegExp.test(aMimeTypeGuess + "@" + locationSite))
596                   ) {
597                 return CP_OK;
598               }
The match works on Youtube for all Flash things.

Re: [Feature request] about:config setting for @font-face

Posted: Thu Jun 07, 2012 8:59 am
by dhouwn
Sorry you misunderstood me, I meant should it have worked or should it work in the future then you would have to use a different filter on this page. That it doesn't work is kind of expected since this setting is just meant for plugins (and until recently just for plugins other than certain popular ones). But since the setting name does not imply to be specific about plugins I see not much of a problem of overloading it (at least from an user perspective). But now that I think about it, it might lead to much cleaner code if done as a separate setting.

Re: [Feature request] about:config setting for @font-face

Posted: Sat Jun 16, 2012 1:37 pm
by KIAaze
I would also like to see a way to permanently allow certain objects, ideally in the noscripts menu.

(Another similar thing I would like to see, is the possibility to block insecure content on SSL pages, but that's a Firefox issue apparently.)

Re: [Feature request] about:config setting for @font-face

Posted: Mon Jun 18, 2012 1:19 am
by Thrawn
You can block http domains in https pages with ABE:

Code: Select all

Site ^http://.*
Deny from ^https://.*
You can also control specific objects with ABE, but it means allowing the plugin type in the main menu, writing a global deny rule for that plugin type, and then writing exceptions by hand. Or waiting for NoScript 3.x for the desktop!

Re: [Feature request] about:config setting for @font-face

Posted: Sat Aug 10, 2013 9:11 am
by Lekensteyn
I finally got tired of manually enabling fonts each time and started to dig in the code.

Some surprises:
  • Why is capability.policy.maonoscript.sites not shown in about:config?
  • What is the magic regex used in return IOUtil.anonymizeURL(url.replace(/(\w+:\/\/[^\.\/\d]+)\d+(\.[^\.\/]+\.)/, '$1$2'));? Why strip that digit in the middle? Something like User123.example.com -> User.example.com?
This patch was created to achieve my goal as fast as possible. It does not integrate in the UI or anything, but allows me to permanently whitelist entries by manually editing the new noscript.objectWhitelist preference. Feel free to edit it to adapt to your needs.

For Github fonts:

Code: Select all

noscript.objectWhitelist={"https://github.com>https://github.global.ssl.fastly.net":["Font"]}
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited