Disable downloadable fonts on Safest security level
Websites can circumvent measures by Tor Browser / NoScript to reject fonts.
Fonts can be injected as “application/font” data in base64 format, directly into the CSS! I discovered this at CSS Tricks... go figure. I've noticed this on another website since.
To replicate, go to the above site in Tor's highest security setting.
You'll see that the fonts are not your usual fonts.
Inspect the CSS and you'll see code like this to "import" the fonts:
@font-face { font-family:sentinel ssm a; src:url(data:application/x-font-woff2;base64,d09GMgABAAAAAFKQABIAAAAArzgAAFIsAAFNDgAAAAA etc etc); font-weight:400; font-style:normal }
The thing that struck me is that the embedded mime type is ‘application/x-font-woff2’. What other “application” types might be embed-able and usable/executable?
I did a search and didn't see this as a ticket.
Trac:
Username: dcent
Activity
An issue with NoScript is by extension an issue with Tor Browser.
It's easy to reproduce as stated in the ticket, but if you have any further questions I'd be happy to answer.
Is anyone at Guardian Project able to follow this up with the NoScript developer(s) or direct the NoScript developer(s) over here?
Trac:
Username: dcent-
I think you should discuss this better here: https://forums.informaction.com/viewforum.php?f=3
Trac:
Username: Yeti Thanks for reporting this. While I was partially joking about a "malicious font", I did take this seriously. This could be a attack vector, so I dug into it a bit and it looks like we can flip
gfx.downloadable_fonts.enabledon Safest and it will ignore webfonts.Trac:
Summary: Fonts can be injected into a website via CSS (as base64 encoded application) to Disable downloadable fonts on Safest security level
Keywords: N/A deleted, TorBrowserTeam202002 addedWhile this is still fresh in my mind:
bug33430_00I verified this works by loading the provided example page on Safer (before disabling the pref), I opened the webtools Inspector, I selected an element on the page (any of them should work), from the panel on the right-side I selected the "fonts" tab, at the bottom of the fonts tab there is an "All fonts on page" arrow/toggle (at least in English). Clicking this shows all fonts used on the page, and indeed it shows the
data:webfonts.After disabling the downloadable_fonts pref, I refreshed the page and repeated the above steps. It shows only system fonts were used.
In parallel, I went code-diving and this seems reasonable.
Trac:
Status: new to needs_review
Reviewer: N/A to acat-
Good to see this is being addressed.
It might be advantageous to determine what Firefox allows as application data when parsing urls in CSS. Is it only fonts or are other things that can draw to the screen permitted eg. svgs (which are also not permitted in Tor), other media etc.
If so it might be safest to prevent the parsing of "application" data at the CSS level?
Trac:
Username: dcent 
I don't necessarily agree with this approach. At some stage safest is going to become practically useless. Downloadable fonts are often used for glyphs/icons (although it's only visual and usually users can intuitively tell what the tofu means). This is not something obscure like graphite.
What is a malicious font?
sysrqb: you kinda jested, but I'm asking in earnest. Can you point me at any documentation?
it might be safest to prevent the parsing of "application" data at the CSS level
This seems like the better approach (and to confirm no other types can be downloaded via this method and exploited). Can a downloadable font used by this method do anything more than one than isn't?
I'm not an expert on data URIs, but my understanding is that security threats from this are (probably) already mitigated by Mozilla upstream - so I'm seriously asking why this needs to be done, or at least some discussion / clarity around it
-
I don't necessarily agree with this approach. At some stage safest is going to become practically useless.
In the highest security level fonts are already blocked and I understand that's for a reason. If we want to bundle the free Font Awesome fonts (or any other fonts for that matter) into Tor, then that's another issue, I'd personally be interested in Fira Sans (cannot-sell-font-individually license) and Roboto Slab (fully free license) being added as they serve a different purpose to Arimo but every font added will result in a larger download for Tor Browser.
What is a malicious font?
I did read about this once, it might be on these forums.
[Preventing the parsing of "application" data at the CSS level] seems like the better approach (and to confirm no other types can be downloaded via this method and exploited). Can a downloadable font used by this method do anything more than one than isn't?
Agree on this and the question posed.
Trac:
Username: dcent -
Replying to dcent:
In the highest security level fonts are already blocked and I understand that's for a reason
No they're not, only some fonts types are blocked: graphite and opentype_svg. That doesn't mean we should just block all downloadable fonts. All I'm asking is what is the actual threat here - because TBH I'm not seeing one yet, and this affects usability (ligatures and icon fonts are widespread)
-
See https://forums.informaction.com/viewtopic.php?p=101745 Seems, there's no need to change something in TB.
Trac:
Username: Yeti 
This should work as expected in Please check https://noscript.net/getit#devel, thanks.
v 11.0.15rc1
x Fixed CapsCSP bug allowing data: URLs to bypass font blocking (thanks dcent and skriptimaahinen) x [XSS] Prevent DOS detection from being triggered for already aborted requests (thanks therube)
-
Thanks, ma1, and thank you too.
Today I discovered this problem goes beyond fonts.
On this page there are two instances of gifs being encoded and five instances of image/svg+xml, shown below.
.ui-menu .ui-menu-item { margin:0; cursor:pointer; list-style-image:url("data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7") } .ui-progressbar .ui-progressbar-overlay { background:url("data:image/gif;base64,R0lGODlhKAAoAIABAAAAAP///yH/C05FVFNDQVBFMi4wAwEAAAAh+QQJAQABACwAAAAAKAAoAAACkYwNqXrdC52DS06a7MFZI+4FHBCKoDeWKXqymPqGqxvJrXZbMx7Ttc+w9XgU2FB3lOyQRWET2IFGiU9m1frDVpxZZc6bfHwv4c1YXP6k1Vdy292Fb6UkuvFtXpvWSzA+HycXJHUXiGYIiMg2R6W459gnWGfHNdjIqDWVqemH2ekpObkpOlppWUqZiqr6edqqWQAAIfkECQEAAQAsAAAAACgAKAAAApSMgZnGfaqcg1E2uuzDmmHUBR8Qil95hiPKqWn3aqtLsS18y7G1SzNeowWBENtQd+T1JktP05nzPTdJZlR6vUxNWWjV+vUWhWNkWFwxl9VpZRedYcflIOLafaa28XdsH/ynlcc1uPVDZxQIR0K25+cICCmoqCe5mGhZOfeYSUh5yJcJyrkZWWpaR8doJ2o4NYq62lAAACH5BAkBAAEALAAAAAAoACgAAAKVDI4Yy22ZnINRNqosw0Bv7i1gyHUkFj7oSaWlu3ovC8GxNso5fluz3qLVhBVeT/Lz7ZTHyxL5dDalQWPVOsQWtRnuwXaFTj9jVVh8pma9JjZ4zYSj5ZOyma7uuolffh+IR5aW97cHuBUXKGKXlKjn+DiHWMcYJah4N0lYCMlJOXipGRr5qdgoSTrqWSq6WFl2ypoaUAAAIfkECQEAAQAsAAAAACgAKAAAApaEb6HLgd/iO7FNWtcFWe+ufODGjRfoiJ2akShbueb0wtI50zm02pbvwfWEMWBQ1zKGlLIhskiEPm9R6vRXxV4ZzWT2yHOGpWMyorblKlNp8HmHEb/lCXjcW7bmtXP8Xt229OVWR1fod2eWqNfHuMjXCPkIGNileOiImVmCOEmoSfn3yXlJWmoHGhqp6ilYuWYpmTqKUgAAIfkECQEAAQAsAAAAACgAKAAAApiEH6kb58biQ3FNWtMFWW3eNVcojuFGfqnZqSebuS06w5V80/X02pKe8zFwP6EFWOT1lDFk8rGERh1TTNOocQ61Hm4Xm2VexUHpzjymViHrFbiELsefVrn6XKfnt2Q9G/+Xdie499XHd2g4h7ioOGhXGJboGAnXSBnoBwKYyfioubZJ2Hn0RuRZaflZOil56Zp6iioKSXpUAAAh+QQJAQABACwAAAAAKAAoAAACkoQRqRvnxuI7kU1a1UU5bd5tnSeOZXhmn5lWK3qNTWvRdQxP8qvaC+/yaYQzXO7BMvaUEmJRd3TsiMAgswmNYrSgZdYrTX6tSHGZO73ezuAw2uxuQ+BbeZfMxsexY35+/Qe4J1inV0g4x3WHuMhIl2jXOKT2Q+VU5fgoSUI52VfZyfkJGkha6jmY+aaYdirq+lQAACH5BAkBAAEALAAAAAAoACgAAAKWBIKpYe0L3YNKToqswUlvznigd4wiR4KhZrKt9Upqip61i9E3vMvxRdHlbEFiEXfk9YARYxOZZD6VQ2pUunBmtRXo1Lf8hMVVcNl8JafV38aM2/Fu5V16Bn63r6xt97j09+MXSFi4BniGFae3hzbH9+hYBzkpuUh5aZmHuanZOZgIuvbGiNeomCnaxxap2upaCZsq+1kAACH5BAkBAAEALAAAAAAoACgAAAKXjI8By5zf4kOxTVrXNVlv1X0d8IGZGKLnNpYtm8Lr9cqVeuOSvfOW79D9aDHizNhDJidFZhNydEahOaDH6nomtJjp1tutKoNWkvA6JqfRVLHU/QUfau9l2x7G54d1fl995xcIGAdXqMfBNadoYrhH+Mg2KBlpVpbluCiXmMnZ2Sh4GBqJ+ckIOqqJ6LmKSllZmsoq6wpQAAAh+QQJAQABACwAAAAAKAAoAAAClYx/oLvoxuJDkU1a1YUZbJ59nSd2ZXhWqbRa2/gF8Gu2DY3iqs7yrq+xBYEkYvFSM8aSSObE+ZgRl1BHFZNr7pRCavZ5BW2142hY3AN/zWtsmf12p9XxxFl2lpLn1rseztfXZjdIWIf2s5dItwjYKBgo9yg5pHgzJXTEeGlZuenpyPmpGQoKOWkYmSpaSnqKileI2FAAACH5BAkBAAEALAAAAAAoACgAAAKVjB+gu+jG4kORTVrVhRlsnn2dJ3ZleFaptFrb+CXmO9OozeL5VfP99HvAWhpiUdcwkpBH3825AwYdU8xTqlLGhtCosArKMpvfa1mMRae9VvWZfeB2XfPkeLmm18lUcBj+p5dnN8jXZ3YIGEhYuOUn45aoCDkp16hl5IjYJvjWKcnoGQpqyPlpOhr3aElaqrq56Bq7VAAAOw=="); height:100%; filter:alpha(opacity=25); opacity:.25 } .pagination-arrow.left { left:0; background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NCIgaGVpZ2h0PSI0NCIgdmlld0JveD0iMCAwIDE1IDI3Ij48cG9seWxpbmUgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjNEE0QTRBIiBzdHJva2Utd2lkdGg9IjIiIHBvaW50cz0iMTkgMTQgMTkgMzEgMzYgMzEiIHRyYW5zZm9ybT0icm90YXRlKDQ1IDMxLjM2NCAxLjEpIi8+PC9zdmc+"); background-repeat:no-repeat; background-position:50%; background-size:contain } .pagination-arrow.left:hover { background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NCIgaGVpZ2h0PSI0NCIgdmlld0JveD0iMCAwIDE1IDI3Ij48cG9seWxpbmUgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjRkZGIiBzdHJva2VXaWR0aD0iMiIgcG9pbnRzPSIxOSAxNCAxOSAzMSAzNiAzMSIgdHJhbnNmb3JtPSJyb3RhdGUoNDUgMzEuMzY0IDEuMSkiIC8+PC9zdmc+") } .pagination-arrow.right { right:-1rem; background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NCIgaGVpZ2h0PSI0NCIgdmlld0JveD0iMCAwIDE1IDI3Ij48cG9seWxpbmUgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjNEE0QTRBIiBzdHJva2Utd2lkdGg9IjIiIHBvaW50cz0iMTkgMTQgMTkgMzEgMzYgMzEiIHRyYW5zZm9ybT0ic2NhbGUoLTEgMSkgcm90YXRlKDQ1IDIzLjg2NCAtMTcuMDA2KSIvPjwvc3ZnPg=="); background-repeat:no-repeat; background-position:50%; background-size:contain } .pagination-arrow.right:hover { background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NCIgaGVpZ2h0PSI0NCIgdmlld0JveD0iMCAwIDE1IDI3Ij48cG9seWxpbmUgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjRkZGIiBzdHJva2VXaWR0aD0iMiIgcG9pbnRzPSIxOSAxNCAxOSAzMSAzNiAzMSIgdHJhbnNmb3JtPSJzY2FsZSgtMSAxKSByb3RhdGUoNDUgMjMuODY0IC0xNy4wMDYpIiAvPjwvc3ZnPg==") } .external-link-icon { background-position:100%; background-repeat:no-repeat; background-image:linear-gradient(transparent,transparent),url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12'%3E%3Cpath fill='%23fff' stroke='%2336c' d='M1.5 4.518h5.982V10.5H1.5z'/%3E%3Cpath fill='%2336c' d='M5.765 1H11v5.39L9.427 7.937l-1.31-1.31L5.393 9.35l-2.69-2.688 2.81-2.808L4.2 2.544z'/%3E%3Cpath fill='%23fff' d='M9.995 2.004l.022 4.885L8.2 5.07 5.32 7.95 4.09 6.723l2.882-2.88-1.85-1.852z'/%3E%3C/svg%3E"); padding-right:13px }SVGs are prevented from loading in Tor, and I don't believe that has anything to do with NoScript.
To restate what Thorin said:
[Preventing the parsing of data at the CSS level] seems like the better approach (and to confirm no other types can be downloaded via this method and exploited). Can a downloadable font used by this method do anything more than one than isn't?
Trac:
Username: dcent Replying to ma1:
This should work as expected in Please check https://noscript.net/getit#devel, thanks.
Thanks ma1! We'll use NoScript 11.0.15 instead of the patch I posted.
