Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block external font-face set #49

Merged
merged 1 commit into from
Sep 11, 2024
Merged

Block external font-face set #49

merged 1 commit into from
Sep 11, 2024

Conversation

weizman
Copy link
Member

@weizman weizman commented Jul 9, 2024

Address #48

  • strongly attach unselectable to a non-existing font-face so outer ones won't stick
  • change unselectable to hardened (more relevant)

@weizman weizman changed the title [draft] address #48 Block external font-face set Jul 10, 2024
@weizman weizman marked this pull request as ready for review July 10, 2024 16:26
@weizman weizman linked an issue Jul 12, 2024 that may be closed by this pull request
LavaDome bypass by detecting character height #48
Closed
@weizman weizman self-assigned this Jul 25, 2024
legobeat
legobeat reviewed Sep 10, 2024
View reviewed changes
packages/core/src/element.mjs
// an element that it should be hard to find/select/leak from/etc
export const hardened = invoker(creator({
// decide on an unguessable font-family (non-existing) so an external one cannot be applied
'font-family': rand(20),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not go even higher than 20?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What number would be sufficient?

@legobeat
Copy link
Collaborator

In a way, does this not serve to aid the vector it is addressing - by forcing defaults, a dictionary of common or known defaults can serve to also predict the height...?

@weizman
Copy link
Member Author

weizman commented Sep 11, 2024

In a way, does this not serve to aid the vector it is addressing - by forcing defaults, a dictionary of common or known defaults can serve to also predict the height...?

The problem was that without this setting, it was possible for attackers to change the height of specific chars (as opposed to all of them) which would provide feedback to the attacker on which chars exist and which don't (and in what order).

With this change, all of LavaDome's chars obey the same height restriction, so telling their height from outside is possible, but it isn't useful to tell them apart, so in practice attackers gain no information from such tactic.

@weizman weizman merged commit 9de0c72 into main Sep 11, 2024
2 checks passed
weizman added a commit that referenced this pull request Sep 18, 2024
@weizman
Block external font-face set (#49)
7958a69
weizman added a commit that referenced this pull request Sep 18, 2024
@weizman
Block external font-face set (#49)
fa4643f
@weizman weizman mentioned this pull request Oct 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legobeat legobeat legobeat approved these changes

Assignees

@weizman weizman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

LavaDome bypass by detecting character height
2 participants
@weizman @legobeat