[tbb-bugs] #33430 [Applications/Tor Browser]: Fonts can be injected into a website via CSS (as base64 encoded application)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 24 08:14:56 UTC 2020


#33430: Fonts can be injected into a website via CSS (as base64 encoded
application)
--------------------+------------------------------------------
 Reporter:  dcent   |          Owner:  tbb-team
     Type:  defect  |         Status:  new
 Priority:  Medium  |      Component:  Applications/Tor Browser
  Version:          |       Severity:  Normal
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
 Reviewer:          |        Sponsor:
--------------------+------------------------------------------
 Websites can circumvent measures by Tor Browser / NoScript to reject
 fonts.

 Fonts can be injected as “application/font” data in base64 format,
 directly into the CSS! I discovered this at [CSS Tricks](https://css-
 tricks.com/snippets/css/a-guide-to-flexbox/)... go figure. I've noticed
 this on another website since.

 To replicate, go to the above site in Tor's highest security setting.

 You'll see that the fonts are not your usual fonts.

 Inspect the CSS and you'll see code like this to "import" the fonts:

 @font-face {
  font-family:sentinel ssm a;
  src:url(data:application/x-font-
 woff2;base64,d09GMgABAAAAAFKQABIAAAAArzgAAFIsAAFNDgAAAAA etc etc);
  font-weight:400;
  font-style:normal
 }

 The thing that struck me is that the embedded mime type is ‘application/x
 -font-woff2’. What other “application” types might be embed-able and
 usable/executable?

 I did a search and didn't see this as a ticket.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33430>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list