-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remote fonts... just a debate #506
Comments
that code only works if the origin header comes after the accept header (although that should probably almost always be the case). A more efficient and reliable way would be to check |
it is
not sure that I follow... do you mean with Header Editor?
Are you sure? |
I'm sure that's what a lot of sites use because it's easy and is the 1st thing they list on that getting-started page |
something like this should work for what you originally tried to do, just a lot more efficient and a bit more reliable: if ('font' === details.type)
for (let a in val) if (val[a].name.toLowerCase() === 'origin') val[a].value = ''; |
^^ Thank you for pointing this out. 😄 if (detail.type === 'font') {
for (let a in val) {
if (val[a].name.toLowerCase() === 'origin') { val[a].value = ''; }
}
} About CSS, I cannot find one sample that reveals the calling page. Its always font (if uses Origin) and never CSS. |
no problem, you're welcome re: css - you can find some example sites here: https://trends.builtwith.com/widgets/Google-Font-API see under Site Totals, fe one example with a 3rd-party google css for fonts I just found in that list is https://www.dailystar.co.uk/ |
CSS still doesn't reveal Origin (that is the calling page). Doesn't matter which site from upper lists I pick, I cannot find the example where Origin is exposed over CSS, as I said numerous time... its always font that is. |
Separate from fonts, also script's and css's reveals your browsing over Origin quite often. if (detail.type === 'font' || detail.type === 'script' || detail.type === 'stylesheet') {
for (let a in val) {
if (val[a].name.toLowerCase() === 'origin') {
val[a].value = '';
break;
}
}
} No breakages so far, will continue to use that and pay now attention also for XHR (I already know that EvilCorp's YT doesn't like removing origin from XHR). Maybe the topic should change to: Tracking over header Origin |
Do I understand right that a font file on Windows is processed by system libs and eventually a kernel? Can a font be used as a crossapp (browser/pdf viewer/document viewer) kernel exploit vector? |
^^ It has been seen a few times in a security history. AFAIK latest there is no known vector, which does not mean there is none and if there is/will be some kernel exploit then IMHO needs to be patched by OS security updates. At this point I am almost 100% certain that upper script does help preventing a lot of tracking, not covered before, immediately when fonts, JS and CSS are enabled. |
or doing font file processing and sanitizing purely in userland, which should prevent zeroday crossapp kernel exploits since kernel doesn't processes the stuff from the file directly, though there may be workarounds. |
OT: FF is calling |
@crssi It has some interaction with catchpoint/WebPageTest#1166 |
yeah sorry you're right. Using fe. |
The template from #506 (comment) break icons in gitlab for me. |
@Maryse47 |
Files/directories icons are broken in above url as well for me. Disabling that rule fixes it. The particular error is: |
Now I see it too. Damn 😢 . Thanks |
@Maryse47 |
@crssi great, thanks. |
@Maryse47 if (detail.type === 'font' || detail.type === 'script' || detail.type === 'stylesheet') {
for (let a in val) {
if (val[a].name.toLowerCase() === 'access-control-allow-origin') { return; }
}
val.push({'name': 'Access-Control-Allow-Origin', 'value': detail.originUrl.split('/', 3).join('/')});
} What we do here is to check if CORS is set. We might get some better performance with regex. Since this issue is closed, I will duplicate the answer at #509 today where you should also continue this conversation. Note: This rule is addition to the "Modify request header" as healer process. Cheers |
I know you hate fonts due to tracking and fingerprinting, but lets just a debate for someones that still uses fonts.
Lets say we don't care about IP.
Fingerprinting can be done over canvas, OS and UA.
Lets say that canvas is sorted out by FF and by CB WE.
We don't care about UA and OS and we do not spoof that, since its near to impossible to.
Then here is tracking. From what I see there are two vectors for that.
One is setting a cookie, which we don't care since we block 3rd party cookies.
Second is request header containing the Origin, from which the font provider, like EvilCorp, tracks your browsing sites.
We can neutralize origin using Header Editor WE:
Configure new rule as
Modify the request header
withMatch type = All
andExecute type = Custom function
:Is this good?
Do I miss something else?
Perhaps question for @earthlng: is upper code OK?
Cheers
The text was updated successfully, but these errors were encountered: