Re: [tor-bugs] #33430 [Applications/Tor Browser]: Fonts can be injected into a website via CSS (as base64 encoded application)

2020-02-26 Thread Tor Bug Tracker & Wiki 
#33430: Fonts can be injected into a website via CSS (as base64 encoded
application)
--+--
 Reporter:  dcent |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by sysrqb):

 Replying to [comment:3 dcent]:
 > Is anyone at Guardian Project able to follow this up with the NoScript
 developer(s) or direct the NoScript developer(s) over here?

 The Guardian Project is not related to NoScript.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33430 [Applications/Tor Browser]: Fonts can be injected into a website via CSS (as base64 encoded application)

2020-02-26 Thread Tor Bug Tracker & Wiki 
#33430: Fonts can be injected into a website via CSS (as base64 encoded
application)
--+--
 Reporter:  dcent |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by sysrqb):

 Replying to [comment:2 Yeti]:
 > IMHO malicious fonts can be harmful. I didn't check this behaviour but
 if it's true, this is more a NoScript-issue.

 What is a malicious font?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33430 [Applications/Tor Browser]: Fonts can be injected into a website via CSS (as base64 encoded application)

2020-02-26 Thread Tor Bug Tracker & Wiki 
#33430: Fonts can be injected into a website via CSS (as base64 encoded
application)
--+--
 Reporter:  dcent |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Yeti):

 I think you should discuss this better here:
 https://forums.informaction.com/viewforum.php?f=3

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33430 [Applications/Tor Browser]: Fonts can be injected into a website via CSS (as base64 encoded application)

2020-02-25 Thread Tor Bug Tracker & Wiki 
#33430: Fonts can be injected into a website via CSS (as base64 encoded
application)
--+--
 Reporter:  dcent |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by dcent):

 As issue with NoScript is by extension an issue with Tor Browser.

 It's easy to reproduce as stated in the ticket, but if you have any
 further questions I'd be happy to answer.

 Is anyone at Guardian Project able to follow this up with the NoScript
 developer(s) or direct the NoScript developer(s) over here?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33430 [Applications/Tor Browser]: Fonts can be injected into a website via CSS (as base64 encoded application)

2020-02-24 Thread Tor Bug Tracker & Wiki 
#33430: Fonts can be injected into a website via CSS (as base64 encoded
application)
--+--
 Reporter:  dcent |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Yeti):

 IMHO malicious fonts can be harmful. I didn't check this behaviour but if
 it's true, this is more a NoScript-issue.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33430 [Applications/Tor Browser]: Fonts can be injected into a website via CSS (as base64 encoded application)

2020-02-24 Thread Tor Bug Tracker & Wiki 
#33430: Fonts can be injected into a website via CSS (as base64 encoded
application)
--+--
 Reporter:  dcent |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by Thorin):

 And how exactly is this a fingerprinting (or security) issue?

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

[tor-bugs] #33430 [Applications/Tor Browser]: Fonts can be injected into a website via CSS (as base64 encoded application)

2020-02-24 Thread Tor Bug Tracker & Wiki 
#33430: Fonts can be injected into a website via CSS (as base64 encoded
application)
+--
 Reporter:  dcent   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  Medium  |  Component:  Applications/Tor Browser
  Version:  |   Severity:  Normal
 Keywords:  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
 Websites can circumvent measures by Tor Browser / NoScript to reject
 fonts.

 Fonts can be injected as “application/font” data in base64 format,
 directly into the CSS! I discovered this at [CSS Tricks](https://css-
 tricks.com/snippets/css/a-guide-to-flexbox/)... go figure. I've noticed
 this on another website since.

 To replicate, go to the above site in Tor's highest security setting.

 You'll see that the fonts are not your usual fonts.

 Inspect the CSS and you'll see code like this to "import" the fonts:

 @font-face {
  font-family:sentinel ssm a;
  src:url(data:application/x-font-
 woff2;base64,d09GMgABAFKQABIArzgAAFIsAAFNDgA etc etc);
  font-weight:400;
  font-style:normal
 }

 The thing that struck me is that the embedded mime type is ‘application/x
 -font-woff2’. What other “application” types might be embed-able and
 usable/executable?

 I did a search and didn't see this as a ticket.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs