Windows 10 - Untrusted Fonts

Question

Windows 10 - Untrusted Fonts

ldaug opened this issue 7 years ago · 12 comments

New laptops being built at pb have a policy that is blocking icons from un-trusted sources in IE (and possibly firefox). This affects all webfonts we are delivering with our web apps. It has been logged in Jira as CDQE-59984 and resolved as a System Limitation. But I think this needs more thought and awareness by the ds team, who are choosing these web fonts, as it might not be feasible in all scenarios to ask customers to change their system policies.

https://docs.microsoft.com/en-us/windows/threat-protection/block-untrusted-fonts-in-enterprise#Turn_on_and_use_the_Blocking_untrusted_fonts_feature

Answer 1 · 2017-08-09T16:13:22.000Z

In addition, while there is a work around to just disable this policy, there may be some enterprise customers that will not allow their users to change or modify this behavior, thus rendering our product ineffective. (Saying that documenting this limitation might not be good enough)

Answer 2 · 2017-08-09T16:13:31.000Z

I worked at a company that did this.

Answer 3 · 2017-08-09T16:16:33.000Z

Switch to Chrome! I think this only applies to IE (old IE + Edge), from what I remember. If not...this is not good for the majority of websites these days.

Answer 4 · 2017-08-09T16:17:53.000Z

If that was our answer then we should be dropping all IE support...

Answer 5 · 2017-08-09T16:21:15.000Z

Actually, it looks like it doesn't affect Edge...along with the fact that they are telling people not to use it: https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/

Answer 6 · 2017-08-09T16:23:24.000Z

Not something our company is following right now. Wonder how easy it will be to get them to change it here...

Answer 7 · 2017-08-09T16:30:32.000Z

Based on experience, it is extremely difficult to get anything handled in a timely matter. I wonder if the Security Team might be able to push this along, if they can get the right information, such as the one from that link.

The web version of Office 365 will not even work correctly if this enterprise setting is enabled.

Also, DS's approach is push users towards modern (updating / Evergreen) browsers, especially in the next iteration. These browsers will not have this issue, as they don't use the font rendering that (old) IE (and perhaps most desktop apps) use.

Answer 8 · 2017-08-09T18:08:24.000Z

This wouldn't effect just the DS fonts, anything served from Google, FontAwesome, CDN, etc wouldn't display either as @nickroberts points out.

I'll reach out to security team as a next step... thanks for starting this thread @ldaug.

Answer 9 · 2017-08-09T18:22:31.000Z

Security team is on it and looped in their IT contact, I will provide limited updates here (remember this is a public repo). I'll send emails to all on this thread if there is more detailed information to share.

Answer 10 · 2017-09-07T12:52:05.000Z

Shared this article with the security team, no response on this issue yet (thanks to joan for sharing this):

https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/

Answer 11 · 2017-09-07T19:16:20.000Z

From security team:

We are looking on this @ priority. We will update you shortly.

Answer 12 · 2018-11-29T18:22:11.000Z

Closing this issue as it should be discussed internally. Please email me if you need help reaching out.