InformAction Forums

Hey guys,

Just wondering something. Why are fonts blocked by NoScript ? What kind of threats does this mitigate ?


Also, side question while I'm at it, is there any protection gained from blocking URL "javascript:" for technically literate people ? Until now I thought it would only protect common users who would be tricked into copy/pasting a javascript: URL into their address bar, or clicking on a javascript: link. So if I can read the URL before running it I cannot be tricked. But maybe there are concealed ways to have them run that would work even on JS literate people ?
If not I'll just keep the javascript: blocking disabled.


Thanks

Wow, I didn't expect the custom fonts feature to require so much of a complex machinery. Now that does make sense to block it. Thanks
Though the last line of that article links to slides that talk about SVG font abuse among other things. Why doesn't NoScript block SVG ?


Also if anyone knows the reply to my less important question about "javascript:" URLs, I'm all ears

NoScript does block cross-site SVG.

Gogg wrote:But maybe there are concealed ways to have them run that would work even on JS literate people ?

As soon as you type the JavaScript snippet in first person and don't use copy&paste from a website (which can be easily hijacked) you should be relatively safe.

Oh ok, only cross site SVG is blocked ! That must be why I didn't notice it. Good to know

And the protection from "javascript:" can stay disabled as well, which I prefer this way. I wanted to make sure there wasn't some way to trick the browser into automatically executing somehow. If it absolutely requires a copy/paste action from the user, it's safe for me even if the copy is hijacked.


Thanks for the answers !