SVG and NoScript

[SVGPonderer]

Hello! Are there security risks in keeping SVG enabled in Fx 3.5 ? How about privacy risks?
Does NoScript care (or need to care in the future) about SVG at all?

[SVGPonderer]

Privacy risks like for instance a separate cash vulnerable to some kind of attack similar to what SafeCache was protecting against.

By the way I've seen a few posts here and there where users say they use SafeCache and SafeHistory....but they have Fx 3+. Was I dreaming or is it feasible to use these add ons with Fx 3.5? If so, how?

Thanks! (And sorry for double post)

[Giorgio Maone]

Generally speaking, SVG adds something to your attack surface in terms of parsing or rendering bugs which might be exploit for code execution, but on pages which have scripting disabled the risk is minimal if not void, because heap spraying preparation would be very impractical or impossible.
There's no additional privacy risk that I can think of.

[SVGPonderer]

Okay, thank you
Going to keep it on then.

How about SafeCache and SafeHistory with Fx 3.5? I was dreaming right? They cannot do their task even if I somehow keep them enabled in Fx 3.5? I was under the impression that even you were using them, hence my questionning.

[Giorgio Maone]

SafeHistory is broken on recent Firefox. You can switch the layout.css.visited_links_enabled about:config property to false if you're concerned about this issue and you don't mind the usability impact.
I'm not sure about SafeCache, since I don't use it (I flush my cache after every session).

[SVGPonderer]

Thanks

I don't need history a lot anyway. Only "recently closed tabs" and windows are useful to me, and those can't be sniffed if I'm not mistaken.