Opened 6 weeks ago

Closed 5 days ago

#33430 closed defect (fixed)

Disable downloadable fonts on Safest security level

Reported by: dcent Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam202003R, tbb-9.0.6
Cc: Actual Points:
Parent ID: Points:
Reviewer: acat Sponsor:

Description

Websites can circumvent measures by Tor Browser / NoScript to reject fonts.

Fonts can be injected as “application/font” data in base64 format, directly into the CSS! I discovered this at [CSS Tricks](https://css-tricks.com/snippets/css/a-guide-to-flexbox/)... go figure. I've noticed this on another website since.

To replicate, go to the above site in Tor's highest security setting.

You'll see that the fonts are not your usual fonts.

Inspect the CSS and you'll see code like this to "import" the fonts:

@font-face {

font-family:sentinel ssm a;
src:url(data:application/x-font-woff2;base64,d09GMgABAAAAAFKQABIAAAAArzgAAFIsAAFNDgAAAAA etc etc);
font-weight:400;
font-style:normal

}

The thing that struck me is that the embedded mime type is ‘application/x-font-woff2’. What other “application” types might be embed-able and usable/executable?

I did a search and didn't see this as a ticket.

Child Tickets

Change History (21)

comment:1 Changed 6 weeks ago by Thorin

And how exactly is this a fingerprinting (or security) issue?

comment:2 Changed 6 weeks ago by Yeti

IMHO malicious fonts can be harmful. I didn't check this behaviour but if it's true, this is more a NoScript-issue.

comment:3 Changed 6 weeks ago by dcent

An issue with NoScript is by extension an issue with Tor Browser.

It's easy to reproduce as stated in the ticket, but if you have any further questions I'd be happy to answer.

Is anyone at Guardian Project able to follow this up with the NoScript developer(s) or direct the NoScript developer(s) over here?

Last edited 6 weeks ago by dcent (previous) (diff)

comment:4 Changed 5 weeks ago by Yeti

I think you should discuss this better here: https://forums.informaction.com/viewforum.php?f=3

comment:5 in reply to:  2 Changed 5 weeks ago by sysrqb

Replying to Yeti:

IMHO malicious fonts can be harmful. I didn't check this behaviour but if it's true, this is more a NoScript-issue.

What is a malicious font?

comment:6 in reply to:  3 Changed 5 weeks ago by sysrqb

Replying to dcent:

Is anyone at Guardian Project able to follow this up with the NoScript developer(s) or direct the NoScript developer(s) over here?

The Guardian Project is not related to NoScript.

comment:7 Changed 5 weeks ago by sysrqb

Keywords: TorBrowserTeam202002 added
Summary: Fonts can be injected into a website via CSS (as base64 encoded application)Disable downloadable fonts on Safest security level

Thanks for reporting this. While I was partially joking about a "malicious font", I did take this seriously. This could be a attack vector, so I dug into it a bit and it looks like we can flip gfx.downloadable_fonts.enabled on Safest and it will ignore webfonts.

comment:8 Changed 5 weeks ago by sysrqb

Reviewer: acat
Status: newneeds_review

While this is still fresh in my mind: bug33430_00

https://gitweb.torproject.org/user/sysrqb/torbutton.git/commit/?h=bug33430_00&id=9e18e7e2a9042976e128f96bddd1d38953512d73

I verified this works by loading the provided example page on Safer (before disabling the pref), I opened the webtools Inspector, I selected an element on the page (any of them should work), from the panel on the right-side I selected the "fonts" tab, at the bottom of the fonts tab there is an "All fonts on page" arrow/toggle (at least in English). Clicking this shows all fonts used on the page, and indeed it shows the data: webfonts.

After disabling the downloadable_fonts pref, I refreshed the page and repeated the above steps. It shows only system fonts were used.

In parallel, I went code-diving and this seems reasonable.

comment:9 Changed 5 weeks ago by cypherpunks

TorBrowserTeam202002R

comment:10 Changed 5 weeks ago by dcent

Good to see this is being addressed.

It might be advantageous to determine what Firefox allows as application data when parsing urls in CSS. Is it only fonts or are other things that can draw to the screen permitted eg. svgs (which are also not permitted in Tor), other media etc.

If so it might be safest to prevent the parsing of "application" data at the CSS level?

comment:11 Changed 5 weeks ago by Thorin

I don't necessarily agree with this approach. At some stage safest is going to become practically useless. Downloadable fonts are often used for glyphs/icons (although it's only visual and usually users can intuitively tell what the tofu means). This is not something obscure like graphite.

What is a malicious font?

sysrqb: you kinda jested, but I'm asking in earnest. Can you point me at any documentation?

it might be safest to prevent the parsing of "application" data at the CSS level

This seems like the better approach (and to confirm no other types can be downloaded via this method and exploited). Can a downloadable font used by this method do anything more than one than isn't?

I'm not an expert on data URIs, but my understanding is that security threats from this are (probably) already mitigated by Mozilla upstream - so I'm seriously asking why this needs to be done, or at least some discussion / clarity around it

comment:12 Changed 5 weeks ago by dcent

I don't necessarily agree with this approach. At some stage safest is going to become practically useless.

In the highest security level fonts are already blocked and I understand that's for a reason. If we want to bundle the free Font Awesome fonts (or any other fonts for that matter) into Tor, then that's another issue, I'd personally be interested in Fira Sans (cannot-sell-font-individually license) and Roboto Slab (fully free license) being added as they serve a different purpose to Arimo but every font added will result in a larger download for Tor Browser.

What is a malicious font?

I did read about this once, it might be on these forums.

[Preventing the parsing of "application" data at the CSS level] seems like the better approach (and to confirm no other types can be downloaded via this method and exploited). Can a downloadable font used by this method do anything more than one than isn't?

Agree on this and the question posed.

Last edited 5 weeks ago by dcent (previous) (diff)

comment:13 Changed 5 weeks ago by boklm

Keywords: TorBrowserTeam202002R added; TorBrowserTeam202002 removed

comment:14 in reply to:  12 Changed 5 weeks ago by Thorin

Replying to dcent:

In the highest security level fonts are already blocked and I understand that's for a reason

No they're not, only some fonts types are blocked: graphite and opentype_svg. That doesn't mean we should just block all downloadable fonts. All I'm asking is what is the actual threat here - because TBH I'm not seeing one yet, and this affects usability (ligatures and icon fonts are widespread)

comment:15 in reply to:  8 Changed 5 weeks ago by acat

The patch looks good to me.

comment:16 Changed 5 weeks ago by Yeti

See https://forums.informaction.com/viewtopic.php?p=101745
Seems, there's no need to change something in TB.

comment:17 Changed 5 weeks ago by ma1

This should work as expected in Please check https://noscript.net/getit#devel, thanks.

v 11.0.15rc1
============================================================
x Fixed CapsCSP bug allowing data: URLs to bypass font

blocking (thanks dcent and skriptimaahinen)

x [XSS] Prevent DOS detection from being triggered for

already aborted requests (thanks therube)

comment:18 Changed 5 weeks ago by dcent

Thanks, ma1, and thank *you* too.

Today I discovered this problem goes beyond fonts.

On [this page](https://archive.org/details/JFKTo911) there are two instances of gifs being encoded and five instances of image/svg+xml, shown below.

.ui-menu .ui-menu-item {
 margin:0;
 cursor:pointer;
 list-style-image:url("data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7")
}

.ui-progressbar .ui-progressbar-overlay {
 background:url("data:image/gif;base64,R0lGODlhKAAoAIABAAAAAP///yH/C05FVFNDQVBFMi4wAwEAAAAh+QQJAQABACwAAAAAKAAoAAACkYwNqXrdC52DS06a7MFZI+4FHBCKoDeWKXqymPqGqxvJrXZbMx7Ttc+w9XgU2FB3lOyQRWET2IFGiU9m1frDVpxZZc6bfHwv4c1YXP6k1Vdy292Fb6UkuvFtXpvWSzA+HycXJHUXiGYIiMg2R6W459gnWGfHNdjIqDWVqemH2ekpObkpOlppWUqZiqr6edqqWQAAIfkECQEAAQAsAAAAACgAKAAAApSMgZnGfaqcg1E2uuzDmmHUBR8Qil95hiPKqWn3aqtLsS18y7G1SzNeowWBENtQd+T1JktP05nzPTdJZlR6vUxNWWjV+vUWhWNkWFwxl9VpZRedYcflIOLafaa28XdsH/ynlcc1uPVDZxQIR0K25+cICCmoqCe5mGhZOfeYSUh5yJcJyrkZWWpaR8doJ2o4NYq62lAAACH5BAkBAAEALAAAAAAoACgAAAKVDI4Yy22ZnINRNqosw0Bv7i1gyHUkFj7oSaWlu3ovC8GxNso5fluz3qLVhBVeT/Lz7ZTHyxL5dDalQWPVOsQWtRnuwXaFTj9jVVh8pma9JjZ4zYSj5ZOyma7uuolffh+IR5aW97cHuBUXKGKXlKjn+DiHWMcYJah4N0lYCMlJOXipGRr5qdgoSTrqWSq6WFl2ypoaUAAAIfkECQEAAQAsAAAAACgAKAAAApaEb6HLgd/iO7FNWtcFWe+ufODGjRfoiJ2akShbueb0wtI50zm02pbvwfWEMWBQ1zKGlLIhskiEPm9R6vRXxV4ZzWT2yHOGpWMyorblKlNp8HmHEb/lCXjcW7bmtXP8Xt229OVWR1fod2eWqNfHuMjXCPkIGNileOiImVmCOEmoSfn3yXlJWmoHGhqp6ilYuWYpmTqKUgAAIfkECQEAAQAsAAAAACgAKAAAApiEH6kb58biQ3FNWtMFWW3eNVcojuFGfqnZqSebuS06w5V80/X02pKe8zFwP6EFWOT1lDFk8rGERh1TTNOocQ61Hm4Xm2VexUHpzjymViHrFbiELsefVrn6XKfnt2Q9G/+Xdie499XHd2g4h7ioOGhXGJboGAnXSBnoBwKYyfioubZJ2Hn0RuRZaflZOil56Zp6iioKSXpUAAAh+QQJAQABACwAAAAAKAAoAAACkoQRqRvnxuI7kU1a1UU5bd5tnSeOZXhmn5lWK3qNTWvRdQxP8qvaC+/yaYQzXO7BMvaUEmJRd3TsiMAgswmNYrSgZdYrTX6tSHGZO73ezuAw2uxuQ+BbeZfMxsexY35+/Qe4J1inV0g4x3WHuMhIl2jXOKT2Q+VU5fgoSUI52VfZyfkJGkha6jmY+aaYdirq+lQAACH5BAkBAAEALAAAAAAoACgAAAKWBIKpYe0L3YNKToqswUlvznigd4wiR4KhZrKt9Upqip61i9E3vMvxRdHlbEFiEXfk9YARYxOZZD6VQ2pUunBmtRXo1Lf8hMVVcNl8JafV38aM2/Fu5V16Bn63r6xt97j09+MXSFi4BniGFae3hzbH9+hYBzkpuUh5aZmHuanZOZgIuvbGiNeomCnaxxap2upaCZsq+1kAACH5BAkBAAEALAAAAAAoACgAAAKXjI8By5zf4kOxTVrXNVlv1X0d8IGZGKLnNpYtm8Lr9cqVeuOSvfOW79D9aDHizNhDJidFZhNydEahOaDH6nomtJjp1tutKoNWkvA6JqfRVLHU/QUfau9l2x7G54d1fl995xcIGAdXqMfBNadoYrhH+Mg2KBlpVpbluCiXmMnZ2Sh4GBqJ+ckIOqqJ6LmKSllZmsoq6wpQAAAh+QQJAQABACwAAAAAKAAoAAAClYx/oLvoxuJDkU1a1YUZbJ59nSd2ZXhWqbRa2/gF8Gu2DY3iqs7yrq+xBYEkYvFSM8aSSObE+ZgRl1BHFZNr7pRCavZ5BW2142hY3AN/zWtsmf12p9XxxFl2lpLn1rseztfXZjdIWIf2s5dItwjYKBgo9yg5pHgzJXTEeGlZuenpyPmpGQoKOWkYmSpaSnqKileI2FAAACH5BAkBAAEALAAAAAAoACgAAAKVjB+gu+jG4kORTVrVhRlsnn2dJ3ZleFaptFrb+CXmO9OozeL5VfP99HvAWhpiUdcwkpBH3825AwYdU8xTqlLGhtCosArKMpvfa1mMRae9VvWZfeB2XfPkeLmm18lUcBj+p5dnN8jXZ3YIGEhYuOUn45aoCDkp16hl5IjYJvjWKcnoGQpqyPlpOhr3aElaqrq56Bq7VAAAOw==");
 height:100%;
 filter:alpha(opacity=25);
 opacity:.25
}

.pagination-arrow.left {
 left:0;
 background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NCIgaGVpZ2h0PSI0NCIgdmlld0JveD0iMCAwIDE1IDI3Ij48cG9seWxpbmUgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjNEE0QTRBIiBzdHJva2Utd2lkdGg9IjIiIHBvaW50cz0iMTkgMTQgMTkgMzEgMzYgMzEiIHRyYW5zZm9ybT0icm90YXRlKDQ1IDMxLjM2NCAxLjEpIi8+PC9zdmc+");
 background-repeat:no-repeat;
 background-position:50%;
 background-size:contain
}
.pagination-arrow.left:hover {
 background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NCIgaGVpZ2h0PSI0NCIgdmlld0JveD0iMCAwIDE1IDI3Ij48cG9seWxpbmUgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjRkZGIiBzdHJva2VXaWR0aD0iMiIgcG9pbnRzPSIxOSAxNCAxOSAzMSAzNiAzMSIgdHJhbnNmb3JtPSJyb3RhdGUoNDUgMzEuMzY0IDEuMSkiIC8+PC9zdmc+")
}
.pagination-arrow.right {
 right:-1rem;
 background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NCIgaGVpZ2h0PSI0NCIgdmlld0JveD0iMCAwIDE1IDI3Ij48cG9seWxpbmUgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjNEE0QTRBIiBzdHJva2Utd2lkdGg9IjIiIHBvaW50cz0iMTkgMTQgMTkgMzEgMzYgMzEiIHRyYW5zZm9ybT0ic2NhbGUoLTEgMSkgcm90YXRlKDQ1IDIzLjg2NCAtMTcuMDA2KSIvPjwvc3ZnPg==");
 background-repeat:no-repeat;
 background-position:50%;
 background-size:contain
}
.pagination-arrow.right:hover {
 background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NCIgaGVpZ2h0PSI0NCIgdmlld0JveD0iMCAwIDE1IDI3Ij48cG9seWxpbmUgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjRkZGIiBzdHJva2VXaWR0aD0iMiIgcG9pbnRzPSIxOSAxNCAxOSAzMSAzNiAzMSIgdHJhbnNmb3JtPSJzY2FsZSgtMSAxKSByb3RhdGUoNDUgMjMuODY0IC0xNy4wMDYpIiAvPjwvc3ZnPg==")
}

.external-link-icon {
 background-position:100%;
 background-repeat:no-repeat;
 background-image:linear-gradient(transparent,transparent),url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12'%3E%3Cpath fill='%23fff' stroke='%2336c' d='M1.5 4.518h5.982V10.5H1.5z'/%3E%3Cpath fill='%2336c' d='M5.765 1H11v5.39L9.427 7.937l-1.31-1.31L5.393 9.35l-2.69-2.688 2.81-2.808L4.2 2.544z'/%3E%3Cpath fill='%23fff' d='M9.995 2.004l.022 4.885L8.2 5.07 5.32 7.95 4.09 6.723l2.882-2.88-1.85-1.852z'/%3E%3C/svg%3E");
 padding-right:13px
}

SVGs are prevented from loading in Tor, and I don't believe that has anything to do with NoScript.

To restate what Thorin said:

[Preventing the parsing of data at the CSS level] seems like the better approach (and to confirm no other types can be downloaded via this method and exploited). Can a downloadable font used by this method do anything more than one than isn't?

Last edited 5 weeks ago by dcent (previous) (diff)

comment:19 Changed 5 weeks ago by pili

Keywords: TorBrowserTeam202003R added; TorBrowserTeam202002R removed

We are no longer in February moving reviews

comment:20 in reply to:  17 Changed 4 weeks ago by sysrqb

Replying to ma1:

This should work as expected in Please check https://noscript.net/getit#devel, thanks.

Thanks ma1! We'll use NoScript 11.0.15 instead of the patch I posted.

comment:21 Changed 5 days ago by sysrqb

Keywords: tbb-9.0.6 added
Resolution: fixed
Status: needs_reviewclosed

This was fixed in Tor Browser 9.0.6 (or if/whenever your browser upgraded NoScript).

Note: See TracTickets for help on using tickets.