As you may already know, now that Mozilla has fixed the recent Firefox 3.6's "0-day" at light speed and vulnerability details are public, the feature protecting NoScript's users against this by default was Forbid @font-face.
The @font-face CSS rule allows web authors to download online typefaces (so called "web fonts") on the fly, enhancing the rendering of their pages' text:
By allowing authors to provide their own fonts, @font-face eliminates the need to depend on the limited number of fonts users have installed on their computers.
If you're wondering why NoScript -- for a long time now -- has been treating web fonts the same way as other "active" embeddings, such as plugin content and HTML 5 media elements, here's an excerpt of an email which Mike Perry (Mr. Torbutton) sent me past year, eloquently advocating this treatment:
It really worries me that the FreeType font library is now being made to accept untrusted content from the web.
The library probably wasn't written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and it's already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.
It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C... The code is extremely hairy and hard to review, especially for the VM.
The reason I don't want to do this blocking in Torbutton is because Torbutton is only about protecting users from privacy risks, not general security risks. Users who want enhanced security are encouraged to use your extension and others on our FAQ page.
March 24th, 2010 at 2:40 pm
[...] hackademix.net » Why NoScript Blocks Web Fonts [...]
March 24th, 2010 at 11:19 pm
[...] hackademix.net » Why NoScript Blocks Web Fonts [...]
March 24th, 2010 at 11:41 pm
Wouldnt it be possible to whitelist 95% of the most common fonts that are included like this via md5? At least that way most sites can be functional with only offbeat fonts needing to be added.
March 24th, 2010 at 11:46 pm
Freetype has actually been exposed to untrusted content for a long time now. For example, Word documents and PDF documents both allow embedding of arbitrary Truetype fonts.
March 25th, 2010 at 12:06 am
NoScript is the Tin Foil Hat of the internet. You obsess about security and you're all running Windows. The joke is over, stop it would you!
March 25th, 2010 at 12:20 am
Ryan Allen: I run Firefox on my x86-64 Linux system, not Windows, so I'd say the security it provides me is no joke.
March 25th, 2010 at 2:06 am
Personally, I use NoScript not so much for security as to block annoying scripts, which seem to be about 95% of the scripts out there. It's just too bad those scripts tend to appear on sites that require scripts for basic functionality that has no need to require scripts - like, for example, the comment form on this very page. (ReCaptcha's no-script version has never worked.)
Whitelisting fonts based on a secure hash (not MD5) would be one good idea, so long as that whitelist is not saved anywhere - otherwise the server could easily return a good font once, and any arbitrary data the next time.
Hopefully someone will fix/replace the font library so it's secure enough for this functionality to be trustworthy...
(maybe replace the VM with Lua bytecode? ;-) )
March 25th, 2010 at 2:09 am
Er, my statement didn't quite make sense... the whitelist itself obviously has to be saved, but automatically adding the URLs/domains/etc of any font that matches a whitelisted hash to the allow list would of course be a bad idea - the file needs to be tested every time it's downloaded.
March 25th, 2010 at 2:52 am
Chromium passes all web font through a sanitiser first which, as one of it's actions, removes the hinting tables.
As with all Chromium code, it's BSD licensed: http://code.google.com/p/ots/
March 25th, 2010 at 8:38 am
@Ryan Allen. Get a clue. Has it ever occurred to you that Windows 7 != Windows 95? OSX is a security nightmare (Apple often react slowly to exploits) and the same linux newbs who say this rubbish are the ones telling users to go grab randomly repackaged deb/rpm files off google (from untrustworthy developers), when the original developers don't support their packaging system. Hilariously, they also don't realise that Microsoft would NEVER make many of the serious and obvious security issues distro's like Ubuntu had (like sudo authentications which could be reused by viruses to easily escalate privs, or exposing passwords in full text). Of course, people like you are simply sheep.
Never realised that web font's were so complex. I'd imagine though that web font support will be locked down to be more secure in the future though (maybe with the mozilla 2 platform)
March 26th, 2010 at 6:31 am
The author of the program should make a script to make this page into a readable colour theme.
Recaptcha works with a word from a scanned book and a "real" word. Supposedly the user doesn't know which. In reality the "real" word is easily identifiable. CAPTCHAs are a nuisance, an usability and accessibility nightmare and an embarrassing fail.
ReCAPTCHAs are no different. Even the name is a sign of stupidity.
April 2nd, 2010 at 5:30 pm
Personally, I also use noscript. Nevertheless, I must say that firefox is way much better that Internet explorer.
April 27th, 2010 at 5:06 pm
Is the browser.display.use_document_fonts preference set to 0 essentially the same as the "Forbid @font-face" option?
April 28th, 2010 at 3:20 pm
@Anonymous Coward:
Nope, because using the built-in preference you can't choose to selectively allow web fonts on pages you trust or temporarily allow specific font instances.
May 23rd, 2010 at 8:28 pm
Have you ever tried to explain to intelligent, but never-before computer users, sometimes 80-years-old and above, how the dangers of the web and all its traps - THEN try to explain Giorgio's excellent program and WHAT TO DO to stay protected AND get to view the site?
It's one thing to set up Ghostiary and the like, make them search through Scroogle and use behind-the-scenes beacon and unwanted add-on killers. - but NOSCRIPT? I love the program, though it is the most aggravating thing I've used at times. For someone who doesn't understand the basic concept of a script they cannot see, forget it! Is it possible to create a Few Scripts or No Script Lite, which, despite its name would be much more complicated - something that can let them use their computers - my parents use their computer - and the web, where living at home (long story) and RTFM means Ring the Family Maven ('Maven' long A short e, equal emphasis on both syllables, transliterated Yiddish - in Yinglish: 1) a true expert,"That maven got the machine back up in no time" or 2) a puffed up incompetent (used sarcastically as a cutting insult without maladicta "Such a wine maven, he can't even open a bottle of champagne without breaking the cork") (Maladicta mod. academic Latin: "bad words" (see George Carlin's 'Seven words you can never say on TV' words that are neither blasphemous or call upon one's Deity(ies) to justly condemn a person, or inherently bad except that they have been socially decided insults or just bad language ... for absolutely no reason in particular)...
... that would allow me to put stronger security on their network AND get some rest?
"Here comes a candle to light you to bed"