[tor-bugs] #33430 [Applications/Tor Browser]: Disable downloadable fonts on Safest security level

Wed Feb 26 18:51:26 UTC 2020

#33430: Disable downloadable fonts on Safest security level
--------------------------------------+------------------------------
 Reporter:  dcent                     |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_review
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam202002      |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:  acat                      |        Sponsor:
--------------------------------------+------------------------------
Changes (by sysrqb):

 * status:  new => needs_review
 * reviewer:   => acat

Comment:

 While this is still fresh in my mind: `bug33430_00`

 https://gitweb.torproject.org/user/sysrqb/torbutton.git/commit/?h=bug33430_00&id=9e18e7e2a9042976e128f96bddd1d38953512d73

 I verified this works by loading the provided example page on Safer
 (before disabling the pref), I opened the webtools Inspector, I selected
 an element on the page (any of them should work), from the panel on the
 right-side I selected the "fonts" tab, at the bottom of the fonts tab
 there is an "All fonts on page" arrow/toggle (at least in English).
 Clicking this shows all fonts used on the page, and indeed it shows the
 `data:` webfonts.

 After disabling the downloadable_fonts pref, I refreshed the page and
 repeated the above steps. It shows only system fonts were used.

 In parallel, I went code-diving and this seems reasonable.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33430#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online