Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#17759 closed defect (fixed)

font whitelist fails to stop local fonts in @font-face

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201512R
Cc: Actual Points:
Parent ID: #18097 Points:
Reviewer: Sponsor:

Description

In #13313, we introduced a font whitelist pref. John Daggett pointed out in https://bugzilla.mozilla.org/show_bug.cgi?id=1121643#c6
that a CSS rule like:

   @font-face {
     font-family: "MyTimes";
     src: local("Times");
   }

allows content to use "Times" even if it is not in our whitelist.

Child Tickets

Change History (6)

comment:1 Changed 4 years ago by arthuredelstein

Keywords: TorBrowserTeam201512R added; TorBrowserTeam201512 removed
Status: newneeds_review

comment:2 in reply to:  1 ; Changed 4 years ago by mcs

Replying to arthuredelstein:

Here's a fixup patch:

https://github.com/arthuredelstein/tor-browser/commit/17759

r=mcs, r=brade
Do we have any automated tests for the font white list feature? If we do, please add a test for this case; if not, we should create some tests soon.

comment:3 in reply to:  2 Changed 4 years ago by arthuredelstein

Replying to mcs:

Replying to arthuredelstein:

Here's a fixup patch:

https://github.com/arthuredelstein/tor-browser/commit/17759

r=mcs, r=brade
Do we have any automated tests for the font white list feature? If we do, please add a test for this case; if not, we should create some tests soon.

Thanks for the review. We don't yet have automated tests. I opened a ticket: #17785

comment:4 Changed 4 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Looks good to me. Applied to tor-browser-38.4.0esr-5.5-1 (commit 03f70ef48bfbd9c9cf80177151a1dc7290409f4b).

comment:5 Changed 4 years ago by arthuredelstein

Parent ID: 18097

comment:6 Changed 4 years ago by arthuredelstein

Parent ID: 18097#18097
Note: See TracTickets for help on using tickets.