Just wondering something. Why are fonts blocked by NoScript ? What kind of threats does this mitigate ?
Also, side question while I'm at it, is there any protection gained from blocking URL "javascript:" for technically literate people ? Until now I thought it would only protect common users who would be tricked into copy/pasting a javascript: URL into their address bar, or clicking on a javascript: link. So if I can read the URL before running it I cannot be tricked. But maybe there are concealed ways to have them run that would work even on JS literate people ?
If not I'll just keep the javascript: blocking disabled.
Thanks
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Wow, I didn't expect the custom fonts feature to require so much of a complex machinery. Now that does make sense to block it. Thanks
Though the last line of that article links to slides that talk about SVG font abuse among other things. Why doesn't NoScript block SVG ?
Also if anyone knows the reply to my less important question about "javascript:" URLs, I'm all ears
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Gogg wrote:But maybe there are concealed ways to have them run that would work even on JS literate people ?
As soon as you type the JavaScript snippet in first person and don't use copy&paste from a website (which can be easily hijacked) you should be relatively safe.
Oh ok, only cross site SVG is blocked ! That must be why I didn't notice it. Good to know
And the protection from "javascript:" can stay disabled as well, which I prefer this way. I wanted to make sure there wasn't some way to trick the browser into automatically executing somehow. If it absolutely requires a copy/paste action from the user, it's safe for me even if the copy is hijacked.
Thanks for the answers !
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
