Page 1 of 1
Why does NS allow to forbid fonts but not SVG ?
Posted: Sun Jul 13, 2014 10:41 pm
by Shinobi
Hi,
I see that fonts can be blocked by NoScript from the UI. I guess it means they present a security risk worth mentioning. But then I don't understand, why was SVG put in a different boat ? Shouldn't there be a placeholder for SVG and eventually an UI checkbox ?
If not I'm curious about the reasoning.
Re: Why does NS allow to forbid fonts but not SVG ?
Posted: Mon Jul 14, 2014 12:24 am
by barbaz
What SVG security issues are there that NoScript doesn't already cover?
Re: Why does NS allow to forbid fonts but not SVG ?
Posted: Mon Jul 14, 2014 10:40 am
by Shinobi
I have no idea, but couldn't you ask the same for fonts ? Both sound like comparable attack vectors, yet NoScript can only block fonts.
Here are some
SVG security issues already fixed. There are privacy issues as well but I'm not sure they can be abused without JS.
Anyway you are saying that the reason SVG isn't directly blockable from NoScript is that the entirety of its attack vector is covered by other NoScript functionalities, like regular JS blocking, XSS or clickjacking protection ?
And it was not the case for fonts, which NS had to handle specifically ?
Re: Why does NS allow to forbid fonts but not SVG ?
Posted: Mon Jul 14, 2014 3:31 pm
by barbaz
I'm not making any claims about the extent/scope of potential SVG attack vector (I'm no expert in that sort of stuff). I just would like to understand why you think SVG poses a significant security threat (meaning more so than static HTML, other types of images, and other things that NoScript won't generally block by default). When I said NoScript already covers some SVG security issues, I was thinking along the lines of
this.
Why NoScript Blocks Web Fonts