Comments on: Why NoScript Blocks Web Fonts

By: Y.A.Winston Smith

Y.A.Winston Smith — Sun, 23 May 2010 18:28:58 +0000

Have you ever tried to explain to intelligent, but never-before computer users, sometimes 80-years-old and above, how the dangers of the web and all its traps - THEN try to explain Giorgio’s excellent program and WHAT TO DO to stay protected AND get to view the site?

It’s one thing to set up Ghostiary and the like, make them search through Scroogle and use behind-the-scenes beacon and unwanted add-on killers. - but NOSCRIPT? I love the program, though it is the most aggravating thing I’ve used at times. For someone who doesn’t understand the basic concept of a script they cannot see, forget it! Is it possible to create a Few Scripts or No Script Lite, which, despite its name would be much more complicated - something that can let them use their computers - my parents use their computer - and the web, where living at home (long story) and RTFM means Ring the Family Maven (’Maven’ long A short e, equal emphasis on both syllables, transliterated Yiddish - in Yinglish: 1) a true expert,"That maven got the machine back up in no time" or 2) a puffed up incompetent (used sarcastically as a cutting insult without maladicta "Such a wine maven, he can’t even open a bottle of champagne without breaking the cork") (Maladicta mod. academic Latin: "bad words" (see George Carlin’s ‘Seven words you can never say on TV’ words that are neither blasphemous or call upon one’s Deity(ies) to justly condemn a person, or inherently bad except that they have been socially decided insults or just bad language … for absolutely no reason in particular)…
… that would allow me to put stronger security on their network AND get some rest?

"Here comes a candle to light you to bed"

By: Giorgio

Giorgio — Wed, 28 Apr 2010 13:20:48 +0000

@Anonymous Coward:
Nope, because using the built-in preference you can’t choose to selectively allow web fonts on pages you trust or temporarily allow specific font instances.

By: Anonymous Coward

Anonymous Coward — Tue, 27 Apr 2010 15:06:09 +0000

Is the browser.display.use_document_fonts preference set to 0 essentially the same as the "Forbid @font-face" option?

By: Stewart

Stewart — Fri, 02 Apr 2010 15:30:57 +0000

Personally, I also use noscript. Nevertheless, I must say that firefox is way much better that Internet explorer.

By: Jack

Jack — Fri, 26 Mar 2010 04:31:38 +0000

The author of the program should make a script to make this page into a readable colour theme.

Recaptcha works with a word from a scanned book and a "real" word. Supposedly the user doesn’t know which. In reality the "real" word is easily identifiable. CAPTCHAs are a nuisance, an usability and accessibility nightmare and an embarrassing fail.
ReCAPTCHAs are no different. Even the name is a sign of stupidity.

By: Andrew

Andrew — Thu, 25 Mar 2010 06:38:27 +0000

@Ryan Allen. Get a clue. Has it ever occurred to you that Windows 7 != Windows 95? OSX is a security nightmare (Apple often react slowly to exploits) and the same linux newbs who say this rubbish are the ones telling users to go grab randomly repackaged deb/rpm files off google (from untrustworthy developers), when the original developers don’t support their packaging system. Hilariously, they also don’t realise that Microsoft would NEVER make many of the serious and obvious security issues distro’s like Ubuntu had (like sudo authentications which could be reused by viruses to easily escalate privs, or exposing passwords in full text). Of course, people like you are simply sheep.

Never realised that web font’s were so complex. I’d imagine though that web font support will be locked down to be more secure in the future though (maybe with the mozilla 2 platform)

By: Adam Langley

Adam Langley — Thu, 25 Mar 2010 00:52:39 +0000

Chromium passes all web font through a sanitiser first which, as one of it’s actions, removes the hinting tables.

As with all Chromium code, it’s BSD licensed: http://code.google.com/p/ots/

By: ⬡

Thu, 25 Mar 2010 00:09:14 +0000

Er, my statement didn’t quite make sense… the whitelist itself obviously has to be saved, but automatically adding the URLs/domains/etc of any font that matches a whitelisted hash to the allow list would of course be a bad idea - the file needs to be tested every time it’s downloaded.

By: ⬡

Thu, 25 Mar 2010 00:06:10 +0000

Personally, I use NoScript not so much for security as to block annoying scripts, which seem to be about 95% of the scripts out there. It’s just too bad those scripts tend to appear on sites that require scripts for basic functionality that has no need to require scripts - like, for example, the comment form on this very page. (ReCaptcha’s no-script version has never worked.)

Whitelisting fonts based on a secure hash (not MD5) would be one good idea, so long as that whitelist is not saved anywhere - otherwise the server could easily return a good font once, and any arbitrary data the next time.

Hopefully someone will fix/replace the font library so it’s secure enough for this functionality to be trustworthy…
(maybe replace the VM with Lua bytecode? ;-) )

By: Lina Inverse

Lina Inverse — Wed, 24 Mar 2010 22:20:54 +0000

Ryan Allen: I run Firefox on my x86-64 Linux system, not Windows, so I’d say the security it provides me is no joke.