Image buttons display text only
-
Hi! I think I set a setting wrong in Vivaldi, can anyone help me fix it? At some websites (ironically including the Vivaldi forums), buttons that are supposed to include a picture, only show a white-outlined square. See picture below, I indicated them in red. If there's text on the button as well, it doesn't really matter, however, if there's no text (as in this forum post editor) I have to hover over the squares to find out which one does what.
Note that Loading Images is set to 'Always' (screenshot to the left). If I switch it to 'Never' (screenshot to the right) or back again, other images (such as avatars in these forums) disappear and show again, but the image buttons don't change.
The white squares are quite confusing (and ugly!). Does anyone know how to fix this?
-
Wow, thank you!
I had indeed uBlock set to block downloadable fonts (I care more about online safety than fancy fonts) but I never realiezd these icons are in fact fonts as well.
uBlock turns out to have a site-specific 'Toggle the blocking of remote fonts for this site' option. Fixed!
-
@loes said in Image buttons display text only:
I care more about online safety than fancy fonts
Are there any security concerns regarding the use of externally hosted web fonts?
-
There could be : For instance, see this (admittedly, old) vulnerability in TTF parsing on Windows, that did indirectly affect Chrome (and probably other browsers) in its time : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4786
If the same kind of vulnerability was discovered again, an attacker could use a specially crafted font included as a web font to gain remote code execution privileges (i.e. execute whatever they want on the pc).
Granted, now Chromium runs in a sandbox, so it may limit the impact of such a vulnerability, but still, on principle, it could be harmful.So, IMO blocking third-party web fonts can make sense (though I don't do it myself); especially since they're third-party (so, not hosted by the site you're browsing) so you can't be 100% sure that they were willingly included by the owner of the site you're visiting (e.g. injected by an ad network, or such...).
Of course when watching the site, you know, but the content blocker cannot "see" that. -
@IcePanther Thanks, I did some research but I couldn't find any info about potentially malicious fonts (and I never heard of any). I guess that most of the malicious websites will use JS anyway, so IMO, if you're not blocking JS (at least from 3rd parties) then blocking web fonts would probably not increase your security in any reasonable measure...
-
You're welcome.
I myself don't know of any malicious font either; just that the theoretical possibility of such an attack exists.
Also, as you pointed out, JS is a much bigger source of vulnerabilities, it's indeed way more useful from a security standpoint to block third-party JS (with uMatrix for instance, or NoScript for Firefox) than Web fonts.(Side note : blocking third-party JS also considerably lightens browsing, I recently started using uMatrix and was amazed at the number of blocked requests.
That being said, it is a tool for power users, and can completely break your browsing experience if you don't know which third parties to whitelist, so I wouldn't advise its use to anybody, only experienced users.
Same goes for NoScript, too) -
Then again, Vivaldi has the option to block JS (and unblock it on a per-site basis) as well.
I wasn't blocking these remote fonts based a real threat of actual malicious fonts, but rather from a general sense of 'if I don't need it I could as well block it'.
I trust Vivaldi's first-party icon fonts, but quite some websites download third-party fonts, increasing the chance of unwanted/unneccessary third-party tracking and, if you're really really unlucky, actual bad stuff. I agree chances are slim but hey, if it doesn't affect the browsing experience, and the ad-blocker you're using offers the option, you could as well minimize risk.
Stupidly missed the fact however that these days, quite some fancy icons are fonts as well. Let it be clear that I'm not a web developer.
By the way, if anyone is interested, it isn't of course completely failsafe, but uBlock is able to block third-party remote fonts only (whilst allowing first-party fonts) by adding a filter rule:
*$font,third-party
-
@loes said in Image buttons display text only:
Then again, Vivaldi has the option to block JS (and unblock it on a per-site basis) as well.
I was under the impression (maybe incorrect) that the native/Chromium JS block (default deny, allow through either preferences or site badge/icon in the URL bar) worked by allowing all JS for the current site, not caring whether it was 1st or 3rd party.
After a quick test, it seems that I am correct :
- If I disable uMatrix, disable JS through Chromium settings, and enable it for vivaldi.com, it loads the JS from both vivaldi.com and youtube.com when I visit vivaldi.com home page where a youTube video is shown.
- If I enable JS back in Chromium, remove the exception I just created, and enable uMatrix (default rules), JS is allowed for vivaldi.com, but not youtube.com (preventing the video from showing).
The Chromium behavior makes more sense for most users that want security without getting too technical, though. It disables JS globally but enables it for sites one wants to "just work".
On the other hand, it's less fine-grained, and doesn't prevent malicious scripts from third parties (e.g. malvertising attacks).Anyway, both are valid strategies, it just depends on where the user sits on the balance between security (and/or privacy, as you said, trackers share the same mechanisms) and usability.
-
@IcePanther said in Image buttons display text only:
@loes said in Image buttons display text only:
Then again, Vivaldi has the option to block JS (and unblock it on a per-site basis) as well.
I was under the impression (maybe incorrect) that the native/Chromium JS block (default deny, allow through either preferences or site badge/icon in the URL bar) worked by allowing all JS for the current site, not caring whether it was 1st or 3rd party.
Oh, no, I never meant Vivaldi could specifically block third-party JS. When I started typing my answer, your hadn't posted your reply yet so I just replied to pafflick who wrote about "blocking JS" in general (although he did specify '(at least from 3rd parties)').
My Vivaldi is set to block all JS, only allowing it on decent websites. Which indeed doesn't protect against malvertising on otherwise trustworthy websites. I'll look into uMatrix, sounds good!
-
@loes
I see, it was a case of simultaneous posting (or race condition) then sorry for the misunderstanding on my part. -
That was an interesting read, nevertheless. One thing that I wanted to point out is that using "font icons" is a popular trend nowadays, as it's a convenient, lossless image format, used widely for vector icons & logos. The other one is SVG (also used as fonts in some cases), which is a bit more powerful and also potentially more "dangerous" format.
-