-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
no-remote-fonts option not working for inlined fonts #1539
Comments
These are inline data: URI-based fonts, they can't be blocked as there is no specific network requests for these. |
@gorhill do you think anything should be done about data: URIs? seems like an easy way for websites to bypass blockers and load unwanted/malicious content. see: gorhill/uMatrix#276 (comment) |
@gorhill Thanks for the explanation. This is interesting and does indeed seem like an easy bypass for websites. Curiously, NoScript's option seems to successfully block these (as part of their various types of "Blocked Objects"), so I wonder how they do it in addition to |
Probably blocking through My understanding of how things are evolving, is that Giorgio Maone is working closely with Mozilla re. WebExtensions, and I am assuming that the missing parts of WebExtensions as implemented on Chromium-based browsers to solve the kind of issues here will be added to Firefox's version of WebExtensions (and hopefully this will motivate Chromium devs to follow suit). |
@icasdri , if you do not wish to download remote fonts, but you still want uBO UI to work, instruct Firefox to prevent websites from using their own fonts. To do this, go to By making that settings change in Options menu (instead of about:config), you can choose which font you want all pages to use. Here is my own setting; it has worked well on just about all pages so far: |
That's a bit too heavy-handed, because it keeps all page-specified fonts, even fonts loaded from the local machine rather than the Web (a.k.a. "non-web" fonts), from working unless they're in that small set of allowed fonts; for example, it would keep Verdana from being used on a page if Arial is set as the default sans-serif. |
I don't understand the exact workings of this setting to be honest. What @lewisje just posted makes sense, and the setting seemed to successfully block Arstechnica site from loading remote fonts. Then again, if I go to http://getbootstrap.com/css/, even though I have Firefox 45.0.1 |
can you link to the exact page with the fonts? i dont see them on your link |
@berrythesoftwarecodeprogrammar Not sure whether you're referring to me. If so, the page is http://getbootstrap.com/css/ . In Firefox, press |
Great find. Coupled with the quote below from gorhill, the ghacks link explains it all for me.
Now I get that with |
@RoxKilly oh i didnt know that your screenshot was of the font inspector i wonder how it determines which fonts are icon fonts |
Is there an issue for blocking data: URI fonts? I’d like to +1 it. |
With current version of uBO, this should work to prevent inlined fonts from being used by the browser:
|
Good. This should probably be mentioned in a wiki page easily accessible from the wiki home. Also, did you mean |
Using |
For those of us who are extremely stupid or unsavvy, how can this rule be applied on a per website basis? |
|
@okiehsch , @gorhill I may be missing something but it doesn't seem to work. Try:
you'll notice that the Anchor-JS fonts are still being loaded (they show up as "remote" in Firefox Fonts Inspector) |
I don't see "Anchor-JS fonts" on that page, the only font resource I see is |
uBlock Origin's
no-remote-fonts: * true
option (i.e. by checking "Block remote fonts" in Settings or adding that line to rules) does not have the desired effect of blocking@font-face
remote webfonts from being downloaded/used.@font-face
fonts are still downloaded/used even when the option is enabled. This can be seen in Firefox's Font Inspector. Below is an example with http://arstechnica.com.Notice that uBlock Origin's font blocking option is enabled per the red X in bottom-right of popup, yet the
@font-face
remote webfonts are still being used per Inspector (example of "Bebas Nueue" present in screenshot; this is also easily seen in the difference in page rendering).Note that setting Firefox's built-in
gfx.downloadable_fonts.enabled
tofalse
does have the desired effect (see Steps to Reproduce below), but this ruins uBlock Origin's popup UI as discussed in #15 when this feature was first introduced.Steps to reproduce:
Inspector
, click onFonts
tab, observe that a number of@font-face
remote webfonts are being used.@font-face
webfonts are still being used.gfx.downloadable_fonts.enabled
tofalse
inabout:config
(from Icons are broken with standard font set. #15, this is what no-remote-fonts is supposed to accomplish without uBlock's interface breaking)@font-face
are used.gfx.downloadable_fonts.enabled
back totrue
, while keeping uBlock Origin's "Block remote fonts" option, and observe on the site in Font Inspector that the@font-face
webfonts come back, signifying that uBlock's option has no effect.Version information:
The text was updated successfully, but these errors were encountered: