Fonts restriction

diff --git a/doc/index.texi b/doc/index.texi
index 1989a452a62de028f532d52490e70bcee8706bef..2b1e75576bb78db18de1a438cb1f715f4352252f 100644 (file)
--- a/doc/index.texi
+++ b/doc/index.texi
@@ -40,6 +40,9 @@ Privoxy}, but it is not friendly with TLS connections, obviously.
 @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
 checks.
 
+@item And there is insanity of downloading fonts.
+    Why the hell people just do not send PostScript documents instead!?
+
 @end itemize
 
 That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing
@@ -153,6 +156,4 @@ What I am planning possibly to do? Just brainstorming:
 
 @item TLS client certificates usage capability.
 
-@item Web fonts download restriction.
-
 @end itemize

diff --git a/main.go b/main.go
index 4464fead426d585bbc1fc6a763d280f85229b7ea..16fae3d6c0742f5ab38723ce1dfa4ae6f704cf35 100644 (file)
--- a/main.go
+++ b/main.go
@@ -152,6 +152,22 @@ func roundTrip(w http.ResponseWriter, req *http.Request) {
                w.Write([]byte(err.Error()))
                return
        }
+       contentType := resp.Header.Get("Content-Type")
+       switch contentType {
+       case "application/font-woff", "application/font-sfnt":
+               // Those are deprecated types
+               fallthrough
+       case "font/otf", "font/ttf", "font/woff", "font/woff2":
+               http.NotFound(w, req)
+               sinkOther <- fmt.Sprintf(
+                       "%s %s\t%d\tfonts are not allowed",
+                       req.Method,
+                       req.URL.String(),
+                       http.StatusNotFound,
+               )
+               resp.Body.Close()
+               return
+       }
        for k, vs := range resp.Header {
                if k == "Location" || k == "Content-Type" || k == "Content-Length" {
                        continue