[tor-bugs] #33430 [Applications/Tor Browser]: Disable downloadable fonts on Safest security level
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 27 08:20:18 UTC 2020
#33430: Disable downloadable fonts on Safest security level
--------------------------------------+------------------------------
Reporter: dcent | Owner: tbb-team
Type: defect | Status: needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam202002 | Actual Points:
Parent ID: | Points:
Reviewer: acat | Sponsor:
--------------------------------------+------------------------------
Comment (by dcent):
> I don't necessarily agree with this approach. At some stage safest is
going to become practically useless.
In the highest security level fonts are already blocked and I understand
that's for a reason. If we want to bundle the free Font Awesome fonts (or
any other fonts for that matter) into Tor, then that's another issue, I'd
personally be interested in Fira Sans (cannot-sell-font-individually
license) and Roboto Slab (fully free license) being added as they serve a
different purpose to Arimo but every font added will result in a larger
download for Tor Browser.
> What is a malicious font?
I did read about this once, it might be on these forums.
>[preventing the parsing of "application" data at the CSS level] seems
like the better approach (and to confirm no other types can be downloaded
via this method and exploited). Can a downloadable font used by this
method do anything more than one than isn't?
Agree on this and the questions posed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33430#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list