From 17679903ce5999b83ff7bd598e0c62f889f8bd14 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Sun, 5 Sep 2021 17:54:17 +0300
Subject: [PATCH] Fonts restriction

---
 doc/index.texi |  5 +++--
 main.go        | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/doc/index.texi b/doc/index.texi
index 1989a45..2b1e755 100644
--- a/doc/index.texi
+++ b/doc/index.texi
@@ -40,6 +40,9 @@ Privoxy}, but it is not friendly with TLS connections, obviously.
 @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
 checks.
 
+@item And there is insanity of downloading fonts.
+    Why the hell people just do not send PostScript documents instead!?
+
 @end itemize
 
 That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing
@@ -153,6 +156,4 @@ What I am planning possibly to do? Just brainstorming:
 
 @item TLS client certificates usage capability.
 
-@item Web fonts download restriction.
-
 @end itemize
diff --git a/main.go b/main.go
index 4464fea..16fae3d 100644
--- a/main.go
+++ b/main.go
@@ -152,6 +152,22 @@ func roundTrip(w http.ResponseWriter, req *http.Request) {
 		w.Write([]byte(err.Error()))
 		return
 	}
+	contentType := resp.Header.Get("Content-Type")
+	switch contentType {
+	case "application/font-woff", "application/font-sfnt":
+		// Those are deprecated types
+		fallthrough
+	case "font/otf", "font/ttf", "font/woff", "font/woff2":
+		http.NotFound(w, req)
+		sinkOther <- fmt.Sprintf(
+			"%s %s\t%d\tfonts are not allowed",
+			req.Method,
+			req.URL.String(),
+			http.StatusNotFound,
+		)
+		resp.Body.Close()
+		return
+	}
 	for k, vs := range resp.Header {
 		if k == "Location" || k == "Content-Type" || k == "Content-Length" {
 			continue
-- 
2.44.0