[tor-bugs] #33430 [Applications/Tor Browser]: Disable downloadable fonts on Safest security level (was: Fonts can be injected into a website via CSS (as base64 encoded application))
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 26 17:59:36 UTC 2020
#33430: Disable downloadable fonts on Safest security level
--------------------------------------+--------------------------
Reporter: dcent | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam202002 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by sysrqb):
* keywords: => TorBrowserTeam202002
Comment:
Thanks for reporting this. While I was partially joking about a "malicious
font", I did take this seriously. This could be a attack vector, so I dug
into it a bit and it looks like we can flip
`gfx.downloadable_fonts.enabled` on Safest and it will ignore webfonts.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33430#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list