As you may already know, now that Mozilla has fixed the recent Firefox 3.6's "0-day" at light speed and vulnerability details are public, the feature protecting NoScript's users against this by default was Forbid @font-face.

NoScript Options|Embeddings|Forbid @font-face

The @font-face CSS rule allows web authors to download online typefaces (so called "web fonts") on the fly, enhancing the rendering of their pages' text:

By allowing authors to provide their own fonts, @font-face eliminates the need to depend on the limited number of fonts users have installed on their computers.

A web font inclusion blocked by NoScript

If you're wondering why NoScript -- for a long time now -- has been treating web fonts the same way as other "active" embeddings, such as plugin content and HTML 5 media elements, here's an excerpt of an email which Mike Perry (Mr. Torbutton) sent me past year, eloquently advocating this treatment:

It really worries me that the FreeType font library is now being made to accept untrusted content from the web.

The library probably wasn't written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and it's already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.

It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C... The code is extremely hairy and hard to review, especially for the VM.

The reason I don't want to do this blocking in Torbutton is because Torbutton is only about protecting users from privacy risks, not general security risks. Users who want enhanced security are encouraged to use your extension and others on our FAQ page.

15 Responses to “Why NoScript Blocks Web Fonts”

  1. #1 windows 7 network security | Network Security says:

    [...] hackademix.net » Why NoScript Blocks Web Fonts [...]

  2. #2 Building a “social networking” spider web and the power of Blogs | Social Networking Spider Webs by Mark Schwartz says:

    [...] hackademix.net » Why NoScript Blocks Web Fonts [...]

  3. #3 Dan says:

    Wouldnt it be possible to whitelist 95% of the most common fonts that are included like this via md5? At least that way most sites can be functional with only offbeat fonts needing to be added.

  4. #4 Robert O'Callahan says:

    Freetype has actually been exposed to untrusted content for a long time now. For example, Word documents and PDF documents both allow embedding of arbitrary Truetype fonts.

  5. #5 Ryan Allen says:

    NoScript is the Tin Foil Hat of the internet. You obsess about security and you're all running Windows. The joke is over, stop it would you!

  6. #6 Lina Inverse says:

    Ryan Allen: I run Firefox on my x86-64 Linux system, not Windows, so I'd say the security it provides me is no joke.

  7. #7 ⬡ says:

    Personally, I use NoScript not so much for security as to block annoying scripts, which seem to be about 95% of the scripts out there. It's just too bad those scripts tend to appear on sites that require scripts for basic functionality that has no need to require scripts - like, for example, the comment form on this very page. (ReCaptcha's no-script version has never worked.)

    Whitelisting fonts based on a secure hash (not MD5) would be one good idea, so long as that whitelist is not saved anywhere - otherwise the server could easily return a good font once, and any arbitrary data the next time.

    Hopefully someone will fix/replace the font library so it's secure enough for this functionality to be trustworthy...
    (maybe replace the VM with Lua bytecode? ;-) )

  8. #8 ⬡ says:

    Er, my statement didn't quite make sense... the whitelist itself obviously has to be saved, but automatically adding the URLs/domains/etc of any font that matches a whitelisted hash to the allow list would of course be a bad idea - the file needs to be tested every time it's downloaded.

  9. #9 Adam Langley says:

    Chromium passes all web font through a sanitiser first which, as one of it's actions, removes the hinting tables.

    As with all Chromium code, it's BSD licensed: http://code.google.com/p/ots/

  10. #10 Andrew says:

    @Ryan Allen. Get a clue. Has it ever occurred to you that Windows 7 != Windows 95? OSX is a security nightmare (Apple often react slowly to exploits) and the same linux newbs who say this rubbish are the ones telling users to go grab randomly repackaged deb/rpm files off google (from untrustworthy developers), when the original developers don't support their packaging system. Hilariously, they also don't realise that Microsoft would NEVER make many of the serious and obvious security issues distro's like Ubuntu had (like sudo authentications which could be reused by viruses to easily escalate privs, or exposing passwords in full text). Of course, people like you are simply sheep.

    Never realised that web font's were so complex. I'd imagine though that web font support will be locked down to be more secure in the future though (maybe with the mozilla 2 platform)

  11. #11 Jack says:

    The author of the program should make a script to make this page into a readable colour theme.

    Recaptcha works with a word from a scanned book and a "real" word. Supposedly the user doesn't know which. In reality the "real" word is easily identifiable. CAPTCHAs are a nuisance, an usability and accessibility nightmare and an embarrassing fail.
    ReCAPTCHAs are no different. Even the name is a sign of stupidity.

  12. #12 Stewart says:

    Personally, I also use noscript. Nevertheless, I must say that firefox is way much better that Internet explorer.

  13. #13 Anonymous Coward says:

    Is the browser.display.use_document_fonts preference set to 0 essentially the same as the "Forbid @font-face" option?

  14. #14 Giorgio says:

    @Anonymous Coward:
    Nope, because using the built-in preference you can't choose to selectively allow web fonts on pages you trust or temporarily allow specific font instances.

  15. #15 Y.A.Winston Smith says:

    Have you ever tried to explain to intelligent, but never-before computer users, sometimes 80-years-old and above, how the dangers of the web and all its traps - THEN try to explain Giorgio's excellent program and WHAT TO DO to stay protected AND get to view the site?

    It's one thing to set up Ghostiary and the like, make them search through Scroogle and use behind-the-scenes beacon and unwanted add-on killers. - but NOSCRIPT? I love the program, though it is the most aggravating thing I've used at times. For someone who doesn't understand the basic concept of a script they cannot see, forget it! Is it possible to create a Few Scripts or No Script Lite, which, despite its name would be much more complicated - something that can let them use their computers - my parents use their computer - and the web, where living at home (long story) and RTFM means Ring the Family Maven ('Maven' long A short e, equal emphasis on both syllables, transliterated Yiddish - in Yinglish: 1) a true expert,"That maven got the machine back up in no time" or 2) a puffed up incompetent (used sarcastically as a cutting insult without maladicta "Such a wine maven, he can't even open a bottle of champagne without breaking the cork") (Maladicta mod. academic Latin: "bad words" (see George Carlin's 'Seven words you can never say on TV' words that are neither blasphemous or call upon one's Deity(ies) to justly condemn a person, or inherently bad except that they have been socially decided insults or just bad language ... for absolutely no reason in particular)...
    ... that would allow me to put stronger security on their network AND get some rest?

    "Here comes a candle to light you to bed"

Bad Behavior has blocked 2278 access attempts in the last 7 days.