Opened 11 years ago

Closed 10 years ago

#1328 closed enhancement (wontfix)

Add option to block remote fonts

Reported by: mikeperry Owned by:
Priority: Low Milestone:
Component: Applications/Torbutton Version: 1.2.4
Severity: Keywords:
Cc: mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mikeperry)

Firefox 3.6.1 recently fell prey to a remote font exploit. In firefox 3.5, the browser began accepting fonts
remotely from websites. The problem is that the truetype font engine is ancient code - code rewritten
from pascal into non-reentrant C, and then rewritten again into reentrant C. This code is extremely cryptic
and hard to maintain and review, and probably wasn't written with the threat model of unsafe and malicious
remote input in mind. It's a security nightmare waiting to rain down more vulnerabilities like this.

My personal feeling is that this means we should ship with NoScript in a good default configuration for
Tor Browser Bundle. However, I would be willing to accept patches to our nsIContentPolicy to optionally
block remote fonts as an alternative.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (3)

comment:1 Changed 11 years ago by ioerror

I think we should have an option to disable remote font loading and it should be enabled by default. This is entirely different from all of the SSL security enhancements and simply takes yet another crazy virtual machine out of the picture (like flash, java, activeX, etc).

comment:2 Changed 11 years ago by mikeperry

So I was just about to break down and code this when I decided to spend about 15 minutes looking over the past
year of MSA's for firefox.

The vast majority of them are actually for vulnerabilities in ogg/theora rather than this font lib. We can't
block ogg/theora as easily from the content policy, but NoScript will handle this nicely with its placeholders.
I am back to thinking NoScript is the way to go. Helix is going to make some alpha TBB builds with NoScript in
a sane config for us for people to try.

comment:3 Changed 10 years ago by mikeperry

Description: modified (diff)
Resolution: Nonewontfix
Status: newclosed

Closing this. We should rely on NoScript.

Note: See TracTickets for help on using tickets.