Why does NS allow to forbid fonts but not SVG ?

[Shinobi]

Hi,

I see that fonts can be blocked by NoScript from the UI. I guess it means they present a security risk worth mentioning. But then I don't understand, why was SVG put in a different boat ? Shouldn't there be a placeholder for SVG and eventually an UI checkbox ?

If not I'm curious about the reasoning.

[barbaz]

What SVG security issues are there that NoScript doesn't already cover?

[Shinobi]

I have no idea, but couldn't you ask the same for fonts ? Both sound like comparable attack vectors, yet NoScript can only block fonts.

Here are some SVG security issues already fixed. There are privacy issues as well but I'm not sure they can be abused without JS.

Anyway you are saying that the reason SVG isn't directly blockable from NoScript is that the entirety of its attack vector is covered by other NoScript functionalities, like regular JS blocking, XSS or clickjacking protection ?

And it was not the case for fonts, which NS had to handle specifically ?

[barbaz]

I'm not making any claims about the extent/scope of potential SVG attack vector (I'm no expert in that sort of stuff). I just would like to understand why you think SVG poses a significant security threat (meaning more so than static HTML, other types of images, and other things that NoScript won't generally block by default). When I said NoScript already covers some SVG security issues, I was thinking along the lines of this.

Why NoScript Blocks Web Fonts