As you may already know, now that Mozilla has fixed the recent Firefox 3.6’s “0-day” at light speed and vulnerability details are public, the feature protecting NoScript’s users against this by default was Forbid @font-face.
The @font-face CSS rule allows web authors to download online typefaces (so called “web fonts”) on the fly, enhancing the rendering of their pages’ text:
By allowing authors to provide their own fonts, @font-face eliminates the need to depend on the limited number of fonts users have installed on their computers.
If you’re wondering why NoScript — for a long time now — has been treating web fonts the same way as other “active” embeddings, such as plugin content and HTML 5 media elements, here’s an excerpt of an email which Mike Perry (Mr. Torbutton) sent me past year, eloquently advocating this treatment:
It really worries me that the FreeType font library is now being made to accept untrusted content from the web.
The library probably wasn’t written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and it’s already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.
It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C… The code is extremely hairy and hard to review, especially for the VM.
The reason I don’t want to do this blocking in Torbutton is because Torbutton is only about protecting users from privacy risks, not general security risks. Users who want enhanced security are encouraged to use your extension and others on our FAQ page.
Mario Heiderich give us yet another reason why we need to be careful about web fonts.