brave · pilgrim-brave · Aug 2, 2022 · Jun 14, 2022 · Jul 8, 2022 · Jul 29, 2022
diff --git a/browser/farbling/BUILD.gn b/browser/farbling/BUILD.gn
@@ -12,6 +12,7 @@ if (!is_android) {
     sources = [
       "brave_dark_mode_fingerprint_protection_browsertest.cc",
       "brave_enumeratedevices_farbling_browsertest.cc",
+      "brave_font_whitelist_browsertest.cc",
       "brave_navigator_devicememory_farbling_browsertest.cc",
       "brave_navigator_hardwareconcurrency_farbling_browsertest.cc",
       "brave_navigator_keyboard_api_browsertest.cc",

diff --git a/browser/farbling/brave_font_whitelist_browsertest.cc b/browser/farbling/brave_font_whitelist_browsertest.cc
@@ -0,0 +1,102 @@
+/* Copyright (c) 2022 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "base/test/scoped_feature_list.h"
+#include "brave/components/brave_shields/common/features.h"
+#include "brave/components/content_settings/renderer/brave_content_settings_agent_impl.h"
+#include "brave/third_party/blink/renderer/brave_font_whitelist.h"
+#include "content/public/renderer/render_frame.h"
+#include "content/public/renderer/render_view.h"
+#include "content/public/test/render_view_test.h"
+#include "third_party/blink/public/platform/web_string.h"
+#include "third_party/blink/public/web/web_document.h"
+#include "third_party/blink/public/web/web_element.h"
+#include "third_party/blink/public/web/web_local_frame.h"
+
+using brave_shields::features::kBraveReduceLanguage;
+
+namespace {
+
+const char kFontLocalSourceHTML[] =
+    "<html><head><style>@font-face{font-family:Helvetica "
+    "Shadow;src:local('Helvetica')}</style></head><body><p><span id='test1' "
+    "style=\"font-family: 'Helvetica'\">mmMwWLliI0fiflO&1</span></p><p><span "
+    "id='test2' "
+    "style=\"font-family: 'Helvetica "
+    "Shadow'\">mmMwWLliI0fiflO&1</span></p></body></html>";
+
+}  // namespace
+
+namespace content_settings {
+
+namespace {
+
+class MockContentSettingsAgentImpl : public BraveContentSettingsAgentImpl {
+ public:
+  explicit MockContentSettingsAgentImpl(content::RenderFrame* render_frame)
+      : BraveContentSettingsAgentImpl(
+            render_frame,
+            false,
+            std::make_unique<ContentSettingsAgentImpl::Delegate>()) {}
+
+  bool IsReduceLanguageEnabled() override { return true; }
+};
+
+}  // namespace
+
+class BraveFontWhitelistRenderViewTest : public content::RenderViewTest {
+ public:
+  BraveFontWhitelistRenderViewTest() {
+    feature_list_.InitAndEnableFeature(kBraveReduceLanguage);
+  }
+  ~BraveFontWhitelistRenderViewTest() override = default;
+
+ private:
+  base::test::ScopedFeatureList feature_list_;
+};
+
+// Test that pages can not use a src:local CSS declaration to bypass the font
+// whitelist. This test requires a specific font to be installed locally, so we
+// only run the test on Mac.
+#if BUILDFLAG(IS_MAC)
+#define MAYBE_FontLocalSource FontLocalSource
+#else
+#define MAYBE_FontLocalSource DISABLED_FontLocalSource
+#endif
+TEST_F(BraveFontWhitelistRenderViewTest, MAYBE_FontLocalSource) {
+  // Clear the font whitelist. This creates a situation where we know there is a
+  // font installed locally (Helvetica, preinstalled on every Mac) that is not
+  // on the font whitelist.
+  brave::set_allowed_font_families_for_testing(
+      true,
+      base::MakeFlatSet<base::StringPiece>(std::vector<base::StringPiece>{}));
+
+  // Use mock content settings agent that unconditionally enables font
+  // whitelisting.
+  MockContentSettingsAgentImpl agent(GetMainRenderFrame());
+
+  // Load test HTML page with two specially constructed <span> elements. The
+  // first tries to use Helvetica directly, which will be blocked (even though
+  // the font exists locally) because it's not on the whitelist. The second
+  // tries to use Helvetica via a shadow src:local font declaration, which
+  // previously succeeded (thereby bypassing the font whitelist) because
+  // src:local CSS font processing was not hooked into the font whitelist logic
+  // in brave::AllowFontFamily.
+  LoadHTMLWithUrlOverride(kFontLocalSourceHTML,
+                          GURL("http://b.test/").spec().c_str());
+  blink::WebDocument document = GetMainFrame()->GetDocument();
+  blink::WebElement p1 =
+      document.GetElementById(blink::WebString::FromUTF8("test1"));
+  ASSERT_FALSE(p1.IsNull());
+  blink::WebElement p2 =
+      document.GetElementById(blink::WebString::FromUTF8("test2"));
+  ASSERT_FALSE(p2.IsNull());
+
+  // If the width of both spans is the same, that means they were both blocked
+  // from using the specified font (Helvetica), which is what we want.
+  EXPECT_EQ(p1.BoundsInViewport().width(), p2.BoundsInViewport().width());
+}
+
+}  // namespace content_settings
@@ -0,0 +1,28 @@
+/* Copyright (c) 2022 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "third_party/blink/renderer/core/css/local_font_face_source.h"
+
+#include "third_party/blink/renderer/core/execution_context/execution_context.h"
+
+#define IsLocalFontAvailable IsLocalFontAvailable_ChromiumImpl
+
+#include "src/third_party/blink/renderer/core/css/local_font_face_source.cc"
+
+#undef IsLocalFontAvailable
+
+namespace blink {
+
+bool LocalFontFaceSource::IsLocalFontAvailable(
+    const FontDescription& font_description) const {
+  if (!brave::AllowFontFamily(font_selector_->GetExecutionContext(),
+                              font_name_)) {
+    return false;
+  }
+
+  return IsLocalFontAvailable_ChromiumImpl(font_description);
+}
+
+}  // namespace blink
@@ -0,0 +1,19 @@
+/* Copyright (c) 2022 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef BRAVE_CHROMIUM_SRC_THIRD_PARTY_BLINK_RENDERER_CORE_CSS_LOCAL_FONT_FACE_SOURCE_H_
+#define BRAVE_CHROMIUM_SRC_THIRD_PARTY_BLINK_RENDERER_CORE_CSS_LOCAL_FONT_FACE_SOURCE_H_
+
+#include "third_party/blink/renderer/core/css/css_font_face_source.h"
+
+#define IsLocalFontAvailable                                       \
+  IsLocalFontAvailable_ChromiumImpl(const FontDescription&) const; \
+  bool IsLocalFontAvailable
+
+#include "src/third_party/blink/renderer/core/css/local_font_face_source.h"
+
+#undef IsLocalFontAvailable
+
+#endif  // BRAVE_CHROMIUM_SRC_THIRD_PARTY_BLINK_RENDERER_CORE_CSS_LOCAL_FONT_FACE_SOURCE_H_
diff --git a/test/BUILD.gn b/test/BUILD.gn
@@ -813,6 +813,7 @@ if (!is_android) {
       "//brave/components/tor",
       "//brave/renderer/skus:browser_tests",
       "//brave/renderer/test:browser_tests",
+      "//brave/third_party/blink/renderer:renderer",
       "//brave/vendor/bat-native-ads",
       "//brave/vendor/bat-native-ledger",
       "//brave/vendor/bat-native-ledger:publishers_proto",

@@ -3,7 +3,7 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this file,
 # You can obtain one at http://mozilla.org/MPL/2.0/.
 
-source_set("renderer") {
+component("renderer") {
   sources = [
     "brave_farbling_constants.h",
     "brave_font_whitelist.cc",

@@ -1,3 +1,4 @@
 include_rules = [
+  "+third_party/blink/public/platform/web_common.h",
   "+third_party/blink/renderer/platform/wtf/text",
 ]
@@ -6,10 +6,8 @@
 #ifndef BRAVE_THIRD_PARTY_BLINK_RENDERER_BRAVE_FARBLING_CONSTANTS_H_
 #define BRAVE_THIRD_PARTY_BLINK_RENDERER_BRAVE_FARBLING_CONSTANTS_H_
 
-enum BraveFarblingLevel {
-  BALANCED = 0,
-  OFF,
-  MAXIMUM
-};
+#include "third_party/blink/public/platform/web_common.h"
+
+enum BLINK_EXPORT BraveFarblingLevel { BALANCED = 0, OFF, MAXIMUM };
 
 #endif  // BRAVE_THIRD_PARTY_BLINK_RENDERER_BRAVE_FARBLING_CONSTANTS_H_
@@ -10,18 +10,19 @@
 
 #include "base/containers/flat_set.h"
 #include "base/strings/string_piece.h"
+#include "third_party/blink/public/platform/web_common.h"
 #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
 
 namespace brave {
 
-bool CanRestrictFontFamiliesOnThisPlatform();
-const base::flat_set<base::StringPiece>& GetAllowedFontFamilies();
+BLINK_EXPORT bool CanRestrictFontFamiliesOnThisPlatform();
+BLINK_EXPORT const base::flat_set<base::StringPiece>& GetAllowedFontFamilies();
 
 // This takes a 2-character language code.
-const base::flat_set<base::StringPiece>&
+BLINK_EXPORT const base::flat_set<base::StringPiece>&
 GetAdditionalAllowedFontFamiliesByLocale(WTF::String locale_language);
 
-void set_allowed_font_families_for_testing(
+BLINK_EXPORT void set_allowed_font_families_for_testing(
     bool can_restrict_fonts,
     const base::flat_set<base::StringPiece>& allowed_font_families);