[tbb-bugs] #17759 [Tor Browser]: font whitelist fails to stop local fonts in @font-face

[Tor Bug Tracker & Wiki]

#17759: font whitelist fails to stop local fonts in @font-face
---------------------------------+----------------------------------
     Reporter:  arthuredelstein  |      Owner:  tbb-team
         Type:  defect           |     Status:  new
     Priority:  Medium           |  Milestone:
    Component:  Tor Browser      |    Version:
     Severity:  Normal           |   Keywords:  TorBrowserTeam201512
Actual Points:                   |  Parent ID:
       Points:                   |    Sponsor:
---------------------------------+----------------------------------
 In #13313, we introduced a font whitelist pref. John Daggett pointed out
 in https://bugzilla.mozilla.org/show_bug.cgi?id=1121643#c6
 that a CSS rule like:
 {{{
    @font-face {
      font-family: "MyTimes";
      src: local("Times");
    }
 }}}
 allows content to use "Times" even if it is not in our whitelist.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17759>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online